thx a lot! ... View more

Your regex contains just 1 capturing group, so how can you refer to $4 and $8? Yes, this regex matches all the bits separated by spaces, but this is not how you extract fields from an event like this. Approaches that would work: REGEX = (".*?"|\S+)\s(".*?"|\S+)\s(".*?"|\S+)\s etc. FORMAT = field1::$1 field2::$2 field3::$3 etc. Which uses a regex that matches the event as a whole and extracts each field into a capture group and then assigns those capture groups to the relevant fieldname. Or: REGEX = (?:(?:".*?"|\S+)\s){10}(".*?"|\S+) FORMAT = ip::$1 Which skips over X (10 in this example) fields and then extracts a single piece to assign to a specific field. ... View more