Hi aljohnson_splunk,
Further to this, I also tried extraction using props.conf and transforms.conf as below:
In props.conf, I added the following statement under [default] (as I want this extraction for all the sources and sourcetypes):
REPORT-Action=Action
And, in transforms.conf I added the following statements:
[Action]
REGEX = ?<root>.?<ns0:LogMessage\s.>.?<ns0:Fields>.+<ns0:Field>.+<ns0:name>(Action)</ns0:name>.+<ns0:value>([^<]+)</ns0:value>.+
FORMAT = Action::$1
Am I doing something wrong here? I have a doubt on my regex. Please refer the example of the logs above.
... View more