I have a custom sourcetype that has the following advanced setting: Name/Value EXTRACT-app : EXTRACT-app field extraction/^(?P<date>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<host>[^ ]+) (?P<service>[a-zA-Z\-]+)_app (?P<level>\w+)⏆(?P<controller>[^⏆]*)⏆(?P<thread>[^⏆]*)⏆((?P<flowId>[a-z0-9]*)⏆)?(?P<message>[^⏆]*)⏆(?P<exception>[^⏆]*) I updated the regex to be slightly less restrictive about the white-space following the "_app" portion: Name/Value EXTRACT-app : EXTRACT-app field extraction/^(?P<date>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<host>[^ ]+) (?P<service>[a-zA-Z\-]+)_app\s+(?P<level>\w+)⏆(?P<controller>[^⏆]*)⏆(?P<thread>[^⏆]*)⏆((?P<flowId>[a-z0-9]*)⏆)?(?P<message>[^⏆]*)⏆(?P<exception>[^⏆]*) (So instead of matching on two-spaces exactly following `_app` we match on one or more white-spaces.) After saving this change, it appears Splunk cloud still uses the previous regex. (Events that include only a single space after "_app" don't get their fields extracted.) I thought perhaps I needed to wait a little while for the change to propagate, but I made the change yesterday and it still doesn't extract the fields today. Is there anything else I need to do to have the regex change take effect?
... View more
