My application logs to win event application log. I have the following log and am trying to extract the SAG: values:
Event Number: 206 Event Class: Security
SWIFTNet User : frodo
Certificate : HSM1:seo-sag1
DN : cn=seo-sag1,o=irceie2d,o=swift
So in the above I would be trying to get SN-I
I use the field extractor and it tells me that everything is extracting correctly but when the field is generated in the search it extracts everything from SN-I to the end of the log as a field.
The regex the field extraction uses is: (?i) Sag:(?P .+)
I've tried to use $ and \z \Z at the end of the regex to signify the end but it still extracts everything from SN-I to the end of the log.
Any ideas what's going on here as I managed to extract the Event Number without any issue.
... View more