The answer is ...
... a mistake in my REGEX. There had been missing the escape-character in front of <(!)
So the right syntax is
PREAMBLE_REGEX=\<[?qe][x:v][mqe][lun][ at][vkP]
But there is a different behavior between REG-Interpretation over GUI-Data-Import and the entry in the props.conf!
Over the GUI the \ isn't needed.
Additions 1
For those, who wants to know, how the right idea had came to me.
After many hours intensive work and study and use of btool my eye was catched by the fact, that for example the default-Entry for TIME_PREFIX is often
TIME_PREFIX = \[
So i had had the idea, that there is the same mechanism in my REGEX!
Addition 2
I organized my work in different trials, Between these trials i clean the index mg_earthquake, to get an unique system.
After i had found the solution, i had made an opposite trial, with the wrong REGEX (without the escape-character). And again i had put the right solution, but had forgotten the cleaning. Surprisingly for me the right solution didn't work!
After restart the indexer (cleaning the index is not possible, when splunk is running) IT WORKS!
One explanation is for me, that there is some communication between forwarder and indexer and the indexer held this information until restart.
Addition 3
Many thanks to MuS, who had inspired me to continue this (for me) hard work!
... View more