We are doing search time indexing, and the following stanza is added to props.conf on the search heads:
[log4j]
EXTRACT-loglevel = \s(?P<loglevel>(FATAL|ERROR|WARN|INFO|DEBUG|TRACE))\s
This was working, but stopped. No changes to config, and I suspect the only thing that changed was the indexed data.
Is there any chance that smart field extraction or something like that is interfering with our extraction? I can see some log statements containing:
....
### loglevel=warn ...
....
Searches for loglevel gives zero results:
loglevel=ERROR
But... If we change the name of the extracted field it starts working... (notice the j in front of loglevel)...
[log4j]
EXTRACT-loglevel = \s(?P<jloglevel>(FATAL|ERROR|WARN|INFO|DEBUG|TRACE))\s
Any clue as to where we should start digging? We can of course live with a different name, but seems a bit unnecessary too. 🙂
... View more