Hi gentcore,
do you want to display or to index the event in this way ?
if you want to display the event in this way, you can use a regex like this:
your_search
| rex "\{\s+\[-\]\s*line:\s+(?<my_log>[^\}]*)"
| table _time my_log
If instead you want to index only this part of event and discard the rest, you have to insert in your props.conf, in the stanza of this sourcetype:
SEDCMD-my_log = s/\{\s+\[-\]\s*line:\s+//g
You can test the regex at https://regex101.com/r/AZsiou/1 .
Bye.
Giuseppe
... View more
