Using the create new field option and regex I get:
2016-07-12 21:47:49 Kernel.Warning 152.7.5.35 Jul 13 04:42:08 EIS-BR kernel: [55214.077676] id=TAC pri=6 func=wrlog_logger line=181 ctx=bump0 msg="Unknown Identity: no enabled identity for token: 198.7.100.26:52675 -> 8.96.3.3:3389 act(DISCARD:)
"Unknown identity" is the value for my field msg_1
Then I want to add another value ("Deny udp") in msg_1:
2016-07-29 10:21:27 Local4.Warning 7.7.7.7 Jul 29 2016 15:25:16 Ent-FW : %ASA-4-106023: Deny udp src inside:198.4.1.10/514 dst outside:8.8.8.8/514 by access-group "inside_access_in" [0x0, 0x0]
But I get instead a lot of values as a match for that field which are not intended.
Please note that these two search strings are located in different columns of the event, as you can see.
The unmatched values are for example (this is intended to be a screen shot of the top values of the field msg_1. As you see Unknown identity is there, but there are many other values included that we don't want):
Top 10 Values Count %
Trusted Host insert 219,786 43.123%
Protected Resource accept 140,836 27.633%
Unknown Identity 84,839 16.646%
inside_access_in" [0x0, 0x0] 43,739 8.582%
hunsberger" 703 0.138%
2016-07-24T12 468 0.092%
2016-07-23T12 430 0.084%
outside_access_in" [0x0, 0x0] 418 0.082%
2016-07-24T06 382 0.075%
2016-07-24T07
Thanks!
... View more