I try to extract several fields from my log but for some reason it does not work :(
Here is my props:
[ev_event]
EXTRACT-sourceTask,groupName,virusName,targetUser,targetUserType,infectedObject = wstrTaskDisplayName="(?P[^"]+)", wstrGroupName="(?P[^"]+)".*strEventType="GNRL_EV_VIRUS_FOUND", wstrDescription="Результат:\s+Обнаружено:\s((?P[^\n]+))\nПользователь:\s+(?P[^()]+)\s\((?P[^)]+)\)\nОбъект:\s+(?P[^"]+)
there are russian letters, but it's ok. Regex is 100% valid, I created it via splunk Field Extractor. But I don't see these fields in fields list on the left and can't search its values. However when I open 'extract new fileds' again, my fileds are highlighted. What did I do wrong?
Here is log example:
"2016-04-27 10:56:35" nSeverity="4", wstrTaskDisplayName="Файловый Антивирус", wstrGroupName="OFFICE", wstrProductBuildNumber="10.2.4.674", strEventType="GNRL_EV_VIRUS_FOUND", wstrDescription="Результат: Обнаружено: EICAR-Test-File
Пользователь: DOMAIN\TEST_USER (Инициатор)
Объект: C:\users\test_user\desktop\11.txt", wstrPar1="NULL", wstrPar2="C:\Users\test_user\Desktop\11.txt", wstrPar3="NULL", hostName="USER-COMP", domainName="domain.ru", tmRegistrationTime="2016-04-27 10:56:35.68", nId="1944850"
![alt text][1]
[1]: /storage/temp/125219-tmp.jpg