Hi folks,
Recently onboarded a new sourcetype configured with search time extractions. Regex works when tested on sample data, however at search time, about 400 fields are extracted which are complete nonsense, the desired fields aren't extracted at all.
Config is on Heavy forwarder, and Search Head Cluster.
Any guidance would be much appreciated!
Thanks
[aam_wss]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
disabled = false
KV_MODE = none
pulldown_type = true
TZ = UCT
EXTRACT-wss = " ^(?<x_bluecoat_request_tenant_id>[^\s]+) (?<date>\d+\-\d+\-\d+) (?<time>\d+:\d+:\d+) \"(?<x_bluecoat_appliance_name>[^\s]+)\" (?<time_taken>[^\s]+) (?<c_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<cs_userdn>[^\s]+) \"?(?<cs_auth_groups>[^\s\"]+)\"? (?<x_exception_id>[^\s]+) (?<sc_filter_result>[^\s]+) \"(?<cs_categories>.*?)\" (?<cs_Referer>[^\s]+) (?<sc_status>[^\s]+) (?<s_action>[^\s]+) (?<cs_method>[^\s]+) (?<rs_Content_Type>[^\s]+) (?<cs_uri_scheme>[^\s]+) (?<cs_host>[^\s]+) (?<cs_uri_port>[^\s]+) (?<cs_uri_path>[^\s]+) (?<cs_uri_query>[^\s]+) (?<cs_uri_extension>[^\s]+) \"?(?<cs_User_Agent>.*?)\"? (?<s_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<sc_bytes>[^\s]+) (?<cs_bytes>[^\s]+) (?<x_data_leak_detected>[^\s]+) (?<x_virus_id>[^\s]+) (?<x_bluecoat_location_id>[^\s]+) \"(?<x_bluecoat_location_name>.*?)\" (?<x_bluecoat_access_type>[^\s]+) \"(?<x_bluecoat_application_name>.*?)\" \"(?<x_bluecoat_application_operation>.*?)\" (?<r_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) \"(?<r_supplier_country>.*?)\" (?<x_rs_certificate_validate_status>[^\s]+) (?<x_rs_certificate_observed_errors>[^\s]+) (?<x_cs_ocsp_error>[^\s]+) (?<x_rs_ocsp_error>[^\s]+) (?<ssl_version>[^\s]+) (?<negotiated_cipher>[^\s]+) (?<cipher_size>[^\s]+) (?<x_rs_certificate_hostname>[^\s]+) \"?(?<certificate_hostname_categories>.*?)\"? (?<x_cs_negotiated_ssl_version>[^\s]+) (?<x_cs_negotiated_cipher>[^\s]+) (?<x_cs_negotiated_cipher_size>[^\s]+) (?<x_cs_certificate_subject>[^\s]+) (?<cs_icap_status>[^\s]+) (?<cs_icap_error_details>[^\s]+) (?<rs_icap_status>[^\s]+) (?<rs_icap_error_details>[^\s]+) (?<s_supplier_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<s_supplier_country>[^\s]+) (?<s_supplier_failures>[^\s]+) \"(?<x_cs_client_ip_country>.*?)\" (?<cs_threat_risk>[^\s]+) (?<x_rs_certificate_threat_risk>[^\s]+) (?<x_client_agent_type>[^\s]+) (?<x_client_os>[^\s]+) (?<x_client_agent_sw>[^\s]+) (?<x_client_device_id>[^\s]+) (?<x_client_device_name>[^\s]+) (?<x_client_device_type>[^\s]+) (?<x_client_security_details>[^\s]+) (?<x_client_security_risk_score>[^\s]+) (?<x_bluecoat_reference_id>[^\s]+) (?<x_sc_connection_issuer_keyring>[^\s]+) (?<x_scissuer_keyring_alias>[^\s]+) (?<x_cloud_rs>[^\s]+) (?<x_bluecoat_placeholder>[^\s]+) (?<cs_X_Requested_With>[^\s]+) (?<x_bluecoat_transaction_uuid>[^\s]+)"
... View more