I'm attempting to set up a Field Extraction for a log files we're forwarding from an LDAP server. For the most part it works, but for some reason it seems to be extracting data on subsequent lines even though everything I've checked on regex101.com etc all show it should stop at the end of the line. I'm trying to extract all characters following the word "Outcome: " in the log file. It seems like some of the events, this appears in the middle and when it does, it continues to extract into the next line.
Here's the regex "Outcome:\s(?P.*)"
Working data (snipped/cleansed)
When: 2017-03-16 14:51:46-0700
Measure: 0.000000
Actor: uid=xxxxxxx
Impersonator: -
ClientAddress: xxxxx
Session: xxxxx
AuthServer: xxxxxx
AppServer: -
ProxyServer: -
AgentAddress: xxxxxxxx
Interface: api
MoreInfo: xxxxxx
Event: identity/logout/passexpire
TargetObject: -
SecondaryTarget: -
Outcome: success
This matches the word "success" and that's it.
NOT Working Data
When: 2017-03-15 14:01:59-0700
Measure: 0.015000
Actor: xxxx
Impersonator: -
ClientAddress: xxxxx
Session: xxxx
AuthServer: xxxxx
AppServer: -
ProxyServer: -
AgentAddress: xxxxx
Interface: api
MoreInfo: "Role: base"
Event: identity/password/get
TargetObject: xxxxx
SecondaryTarget: -
Outcome: success
When: 2017-03-15 14:01:59
Measure: 0.016000
Actor: xxxxx
Impersonator: -
ClientAddress: xxx
This matches "success When: 2017-03-15 14:01:59 Measure: 0.016000 Actor: xxxxx Impersonator: - ClientAddress: xxx".... and everything else after it
I realize it looks like the single event is actually multiple events recorded as one event. I'm not exactly worried about that right now. Is there a way to get it to stop matching at the end of the line instead of continuing on? From everything I've read .* is not supposed to match line terminators/new line
↧