I am having some trouble with field extractions coming from a Windows host via a universal forwarder (UF). The log data is being read from a file by the UF. I am hoping someone can offer some insights.
An event that looks like this:
General Information
Additional Information:
SPID: 0000009914
MachineName: WWWWWWW
TimeStamp: 10/17/2018 03:13:32 PM
FullName: log4net Version=1.2.10.0
AppDomainName: /LM/W3SVC/9/ROOT-1-131842870514238769
ThreadIdentity: ABCXYZ\USERID
WindowsIdentity: IIS APPPOOL\VVVtage-Train
Exception Information:
System.Xml.XmlException: Root element is missing.
at ABCXYZ.Portal.EAI.GetPremises(String SPID, String UID)
at ABCXYZ.Portal.VVVtage.Main.Refresh()
I can put this event in regex101 and use this regex:
\n([^:]+): ([^\r\n]+)
and it works as desired.
To capture most of the : pairs. I am using the regex in a TRANSFORMS and it works on a *nix host where the source files are manually loaded. However, once I start forwarding the data from the Windows host, no fields are extracted. Since it works on Linux, but not on Windows, I am assuming I am missing something Windows specific.
Here is my props.conf
[sourcetype:xyz]
BREAK_ONLY_BEFORE = General Information
DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 128
NO_BINARY_CHECK = true
TIME_PREFIX = TimeStamp:
category = Custom
disabled = false
pulldown_type = true
#REPORT-extractall = extract_new
TRANSFORMS-extractall = extract_new
EXTRACT-Exception_Full = System.Xml.XmlException:\s+(?<Exception_Full>[\S\s]+)
EXTRACT-WebException_Full = System.Net.WebException:\s+(?<Exception_Full>[\S\s]+)[\r\n]Request:
EVAL-Exceptions_Consolidated = coalesce(System_Exception,System_Net_WebException,System_Xml_XmlException)
My transforms.conf
[extract_new]
REGEX=\n([^:]+): ([^\r\n]+)
FORMAT=$1::$2
MV_ADD=true
... View more