So I've been having a difficult time with doing field extractions and not getting the results I expect. In a single instance VM it works perfectly, however in my production systems none of my attempts at extract or transform has worked. With that said, I've racked my brain trying to get a props config to work.
props.conf
[sourcetype4]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
pulldown_type = true
EXTRACT-timestamp,EVENT,Session_ID,SID,UserName,OSUserID,MachineName,Module = ^"(?P<timestamp>[^"]+)","(?P<EVENT>\w+)","(?P<Session_ID>\d+)(?:[^"\n]*"){2}(?P<SID>\d+)","(?P<UserName>[^"]+)[^,\n]*,"(?P<OSUserID>[^"]+)","(?P<MachineName>\w+\\\w+)[^,\n]*,"(?P<Module>[^"]+)
In the VM it works perfect, but when I put it to the search head in production it fails to do anything at all. I get no errors with the btool, I don't see anything that would supersede the config, and not a single field extracted. Heck, in the test VM it's correctly grabbing timestamp but not in production. Can anyone help with troubleshooting this? What is the best way in which I can trace out exactly when each stanza is being hit?
Thanks!
... View more