Sorry for not being so clear, here is a description of what was done: I want to extract fields in HF before sending to Splunk Cloud. transforms.conf [field_extract_username] SOURCE_KEY = _raw REGEX = (\susername\s\[(?P<user>.+?)\]\s) FORMAT = user::$1 props.conf [keycloak] DATETIME_CONFIG = INDEXED_EXTRACTIONS = json LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom pulldown_type = 1 disabled = false SHOULD_LINEMERGE = true REPORT-field_extract = field_username EXTRACT-username = \susername\s\[(.+?)\]\s EXTRACT-user = (\susername\s\[(?P<user>.+?)\]\s) EXTRACT-username and EXTRACT-user I created as a test after REPORT-field_extract extracted the user field. _raw log: { "log": "stdout F {\"timestamp\":\"%s\",\"sequence\":%d,\"loggerClassName\":\"org.jboss.logging.Logger\",\"loggerName\":\"br.com.XXXXXX. keycloak.login.pf.clients.CustomerLoginClient\",\"level\":\"INFO\",\"message\":\"CustomerLoginClient.fetchValidateLogin - Processed - username [XX157118577] clientId [https://www.XXXX.com/app] took [104ms]\",\"threadName\":\"executor-thread-3577\",\"threadId\":1XXXXX73,\"mdc\":{\"dt.entity.process_group\":\"PROC ESS_GROUP-DXXA014C1XXXX7EC\",\"dt.host_group.id\":\"prd\",\"dt.entity.host_group\":\"HOST_GROUP-46FAFFBA838D4E81\", \"dt.entity.host\":\"HOST-971DXXXXXXX0F72E\",\"dt.entity.process_group_instance\":\"PROCESS_GROUP_INSTANCE-60C0A631 DB5AB172\"},\"ndc\":\"\",\"hostName\":\"keycloak-XXXXX-X\",\"processName\":\"QuarkusEntryPoint\",\"processId\":1}", "source": "/var/log/containers/keycloak-XXXXX-0_XXXXXX_keycloak-814935ba7b1d4XXXXXXXXeb8d4dfc51d27283a257c4a96526eb.log", "host": "[\"keycloak-XXXXX-0\"]", "type": "-", "environment": "prod" }
... View more
