Solved: Yet More field extraction problems

integritysuppor · ‎08-13-2013

My application logs to win event application log. I have the following log and am trying to extract the SAG: values:
Message=Component: Sag:SN-I
Event Number: 206 Event Class: Security
Description: foobar
SWIFTNet User : frodo
Certificate : HSM1:seo-sag1
DN : cn=seo-sag1,o=irceie2d,o=swift

So in the above I would be trying to get SN-I

I use the field extractor and it tells me that everything is extracting correctly but when the field is generated in the search it extracts everything from SN-I to the end of the log as a field.

The regex the field extraction uses is: (?i) Sag:(?P.+)

I've tried to use $ and \z \Z at the end of the regex to signify the end but it still extracts everything from SN-I to the end of the log.

Any ideas what's going on here as I managed to extract the Event Number without any issue.

starcher · ‎08-13-2013

Try: (?i) Sag:(?P.[^ ]+)

View solution in original post

starcher · ‎08-13-2013

Try: (?i) Sag:(?P.[^ ]+)

integritysuppor · ‎08-13-2013

yeah that pretty much did it, was outputting as "SN-I Event" though.

So final regex that I used:

(?i) Sag:(?P.[^ ]+)Event

Yet More field extraction problems

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor