Thank you very much, i found a way to get my regex running, finally!
Only for documentation:
There seems to be a inconsistency between the "Extract Fields" regex checker on splunkweb and the regex-interpreter for incoming data. A short example:
(?:(?!User-Agent).)*(?:User-Agent:\s+(?P<useragent>[^\s]*))?
In this case
regex101 returns the useragent
the splunk regex checker on the "Extract Fields" page does NOT returns anything (?!)
when i implement this regex for a sourcetype, i get values for useragent-field at searchtime
I always used the splunk regex-checker, regex101 seems to be a more reliable source! (splunk regex checker also works with my non-escaped character statement from above, while regex101 isn't)
Anyway, thanks for your help.
Example data:
2015-03-11T10:15:46.077+01:00; INFO ; HOSTNAME/P2928; 24; [RequestProcessor/ProcessBusinessLogicResponse]; Sent final response to client: SIP/2.0 480 Business Logic not available Via: SIP/2.0/UDP 0.0.0.0:0000;branch=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;rport=0000;received=0.0.0.0 To: ;tag=XXXXXXXX From: "" ;tag=XXXXXXXX Call-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CSeq: 2001 INVITE User-Agent: APP Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER, REGISTER, SUBSCRIBE, UPDATE, MESSAGE Require: timer
... View more