I have the following raw AD event which I can see from my search:
08/16/2010 12:55:56.0110
dcName=w2k3r2.demo.dev
admonEventType=Update
Names:
objectCategory=CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=demo,DC=dev
name=bsmith
displayName=$CimsUserVersion2
distinguishedName=CN=bsmith,CN=Users,CN=default,CN=Zones,CN=Centrify,CN=Program Data,DC=demo,DC=dev
cn=bsmith
Object Details:
objectGUID=cffb0829-0642-134c-2ef1-f03cc696e10b
whenChanged=20100816195556.0Z
whenCreated=20070906020209.0Z
objectClass=top|leaf|connectionPoint|serviceConnectionPoint
Event Details:
uSNChanged=127046
uSNCreated=14129
instanceType=4
Additional Details:
keywords=foo:1111|bar:3333|too:3333
showInAdvancedViewOnly=TRUE
Whenever I try to use the "Extact Fields" UI, the event is truncated after "Event Details" in the "Sample events" frame. What's preventing me from seeing the entire event?
In order to prevent the limited screen real estate from exploding, sample events are truncated at 15 lines (with at most 100 events). I have filed a request for improvement.
From the standard search view, you can still manually test out a regex with the 'rex' search command, and when it works, manually add that regex to your source or sourcetype from the Manager (i.e., Manager » Fields » Field extractions)
In order to prevent the limited screen real estate from exploding, sample events are truncated at 15 lines (with at most 100 events). I have filed a request for improvement.
From the standard search view, you can still manually test out a regex with the 'rex' search command, and when it works, manually add that regex to your source or sourcetype from the Manager (i.e., Manager » Fields » Field extractions)
unfortunately, no.
Well that explains that. I did figure out how to use 'rex' as a work around. The next question is can I do dynamic field name generation the same way Splunk does? Something like this:
sourcetype="ActiveDirectory" keywords=* | rex field=_raw "keywords=(?<_KEY_1>[a-z]):(?<_VALUE_1>[0-9])