Event Flow
(THREAD-XXXX) YYYY-MM-DD 15:53:38.486 - Server_Name flow step millis 32 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
(THREAD-XXXX) YYYY-MM-DD 15:53:38.508 - Server_Name flow step millis 22 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') (Server_Name,)
(THREAD-XXXX) YYYY-MM-DD 15:53:38.517 - flow step millis 64 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
(THREAD-XXXX) YYYY-MM-DD 15:53:38.758 - flow step millis 2 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
(THREAD-XXXX) YYYY-MM-DD 15:53:38.773 - Server_Name flow step millis 15 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
(THREAD-XXXX) YYYY-MM-DD 15:53:38.789 - Server_Name start flow ('IP reverse posting') (status: XXXX@XXX_004) (XXXXXXXXXXXXXXX)
(THREAD-XXXX) YYYY-MM-DD 15:53:38.791 - Server_Name flow step millis 1 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
(THREAD-XXXX) YYYY-MM-DD 15:53:38.793 - Server_Name flow step millis 2 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') - flow stops here
(THREAD-XXXX) YYYY-MM-DD 15:53:38.794 - Server_Name flow step millis 1 ('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
can anyone, extract all fields at search time and would also like to extract a couple of fields?
may use Props.conf or Transforms.conf.
In props.conf
EXTRACT-allfields= \(THREAD-(?<thread>\S+?)\) \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d+? - (?<server_name)\S+) (?<flow>\S+) (?<step>\S+) (?<millis>\S+) (?<numField>\d+) \('(?<message>\S+?)'\)
Be sure to put it all on one line in your props.conf