I've created a new source type with a regex. It was working but I found an edge case where it was broken. I rewrote the regex using a capture group but the group doesn't seem to be  getting applied. Can someone tell me if this should work? Here is my regex: s/"message":\s*"{([\s\S]*)}"/"data": {$1}/g put in "SEDCMD-a".  My json data is as follows: { "message": "{ "test": "test data" }" } and my transformed data ends up like this: { "data": {$1}} It isn't making the replacement with the capture group. Am I doing something wrong? Should this work? Thanks, -Tim ... View more

I am trying to figure out the best way to perform this search. I have some json log/events where the event data is slightly different based on the type of fruit (this is just an example). I have two searches that return each thing that I want. I'm not sure if it is best to try and combine the two searches or if there is a better way all together.  Here is an example of my event data:   Event Type 1 { "data": { "fruit": { "common": { "type": "apple", "foo": "bar1" }, "apple": { "color": "red", "size": "medium", "smell": "sweet" } } } } Event Type 2 { "data": { "fruit": { "common": { "type": "pear", "foo": "bar2" }, "pear": { "color": "green", "size": "medium", "taste": "sweet" } } } }     I want to extract all of the "color" values from all of the log/json messages. I have two separate queries that extract each one but I want them in a single table. Here are my current queries/searches: index=main | spath "data.pear.color" | search "data.pear.color"=* | eval fruitColor='data.pear.color' | table _time, fruitColor index=main | spath "data.apple.color" | search "data.apple.color"=* | eval fruitColor='data.apple.color' | table _time, fruitColor I know that there must be a way to do something with the 'type' field to do what I want but can't seem to figure it out. Any suggestion is appreciated.     ... View more