First thank you for the help. I made a mistake in my original post the SEDCMD command is the following, there is a slash in front the period which should escape and look for a period:
"s/^(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s)+\S+.\S+\s+/\1/g"
To "reset" the conversation the first thing the props file does is call a command in transforms:
[pfsense_sourcetyper]
REGEX = ^\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s+(\w+)([\d+])?:
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::pfsense:$1
This should extract the "filterlog" and output it as a sourctype=pfsense:filterlog. Which it does.
I am assuming once that is done and control is returned to props.conf, the SEDCMD command is trying to remove everything up to the space in front of filter log because the next section in props.conf is the extraction of the pfsense:filterlog
[pfsense:filterlog]
EXTRACT-ipv4_tcp = filterlog:\s(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?4),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?tcp),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^$])$
EXTRACT-ipv4_udp = filterlog:\s(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?4),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?udp),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,]),(?[^,])
Because I agree the SEDCMD command is inserting the date just as you stated, I am just not understanding how then the SEDCMD command is "removing" the information prior getting to the extract section of the props.conf file.
... View more