I have events that do not extract the fields from the message field by default. I'm trying to setup props/transforms to auto extract the fields on search. I believe I have the props and transforms setup properly however it's not working. I think the issue is the regex I'm using and possibly the first 2 lines of the message data.
Props:
[source::WinEventLog:Directory Service]
REPORT-dsfields = ds_fields
Transforms:
[ds_fields]
SOURCE_KEY = Message
REGEX = ([^:]+):\n(.*[\S])
FORMAT = $1::$2
MV_ADD = true
KEEP_EMPTY_VALS = true
The regex appears to extract the fields properly with the exception of the first line which I don't need. I also tried this regex
(?:.*\n){2}([^:]+):\n(.*[\S])
Which also appears to work to exclude the first two lines. However the combination doesn't extract fields when searching. If I extract a single value in the same props and transforms it works so I believe the files are configured properly.
I don't care if the first line (Internal Event:) is extracted or not. The goal is to extract the field value pairs in the rest of the message.
The message field data looks like:
Internal event: A client issued a search operation with the following options.
Client:
10.215.215.215:61759
Starting node:
DC=domain,DC=Domain,DC=Domain,DC=local
Filter:
(accountNameHistory=*[DG]*)
Search scope:
subtree
Attribute selection:
accountNameHistory,employeeType,title,info,groupType,distinguishedName,objectGUID,sAMAccountType,departmentNumber,memberOf,objectSid,objectClass
Server controls:
Visited entries:
1556
Returned entries:
8
Used indexes:
Ancestors_index:3356:N;
Pages referenced:
16745
Pages read from disk:
31
Pages preread from disk:
9
Clean pages modified:
0
Dirty pages modified:
0
Search time (ms):
313
Attributes Preventing Optimization:
accountNameHistory
User:
Domain\some-user-account
... View more