Don't rely on built-in stuff, build it yourself. Pick a sourcetype that makes sense to you. The emerging standard is "vendor:product:type" but it doesn't matter. Then build out your field extractions yourself. Start with setting "KV_MODE=auto" and build out the rest from there. Here is some of that done in SPL but you should NOT do it in SPL, do it in KOs: | makeresults
| eval _raw="2023-04-05 1:42:25 UTC [25804]: [3-1] user=pgmon,db=postgres,app=psql,client=[local] LOG: AUDIT: SESSION,1,1,MISC,BEGIN,,,BEGIN;SET statement_timeout=100;COMMIT;SELECT version() AS"
| append [| makeresults
| eval _raw="2023-04-05 1:42:25 UTC [25804]: [2-1] user=pgmon,db=postgres,app=[unknown],client=[local] LOG: connection authorized: user=pgmon database=postgres" ]
| eval _time = strptime(_raw, "%Y-%m-%d %H:%M:%S %Z")
| kv
| rex "\]\s+LOG:\s+(?<action>[^:]+)"
... View more