I have a tab delimited log file that looks like:
#Fields: time Data LoginID ContextID
"2011-02-20 21:38:59" /opt/opensso_domain1/opensso/log/ "cn=dsameuser,ou=DSAME Users,dc=xxx,dc=xxx,dc=com" 66bee9c28495081c
"2011-02-20 21:38:59" "Login Success|module_instance|Application" "cn=dsameuser,ou=DSAME Users,dc=xxx,dc=xxx,dc=com" b65b9f90eff3192b01
I created a deployed app, and assigned the sourcetype to be "openam_log" in inputs.conf
Then I tried to do an inline field extraction in props.conf
[openam_log]
EXTRACT-openam_date = "(?<openam_time>[^\t]+)"
I verified the regex in Search with the command:
sourcetype=openam_log | rex field=_raw "(?<openam_time>[^\t]+)"
That worked in Search, however the field still doesn't show up in Manager > Fields > Extracted Fields in the UI.
... View more