I played around with the regex and it seems to have fixed the issue. But the original regex does not seem to be wrong. Please see below regex rules.
Original regex: [fw4_rule_traffic]\s[(?P([^]]+|))](|\s)(?P[^,]+),(?P[^,]+),(?P[^,]+),(?P[^,]+),(?P[^,]+),(?P[^,]+),(?P[^,]+),(?P[^.]+)
Updated regex:^[^[\n]][fw4_rule_traffic]\s+[(?P[^]]+|)]\s*(?P[^,]+),(?P[^,]+),(?P[^,]+),(?P[^,]+),(?P\d+),(?P\d+),(?P\d+),(?P\d+)
Event with v3 (value=dmzfw_1) not successfully extracted. (other fields in the event below and other events are successfully extracted)
timestamp ip_addr 1 timestamp [fw4_rule_traffic] [xx.xx.xx.xx]2017-03-09 10:10:00,dmzfw_1,30,ALLOW,32,13608,0,0.
Some note to sample event.
- masked ip_addr can be an empty string (i.e [])
- There can be a space between [ip_addr] and following timestamp (i.e [x.x.x.x] 2017...)
... View more