All,
I was using rex field extraction at search and did exactly what I expected
| rex field=_raw "\[(?_.+)\]\s"
How ever I placed the extraction in props.conf and I am not getting the same results.
EXTRACT-dye3 = \[(?_.+)\]\s
Example log
2016-04-08 22:15:24,120 [_1234567891234567] priority=WHOA app_name=amazingapp
In the second example end up with EVERYTHING after the underscore. While the first example snags the contents between the braces perfectly.
↧