Hello All
My current environment is as follows :
Syslog/UF (Universal Forwarder) -> HF (Heavy Forwarder) -> Indexers
I am trying to perform an indexed time field extraction so that people can utilize the fields extracted across all Search Heads in our environment.
The following are what i have now after lots of trying :
**transforms.conf**
[ABC]
REGEX = ^.*host\s(?1[^ ]+)\sat.+by\s(?2.+)
FORMAT = $0:$1:$2:$3:$4:$5:$6
**props.conf**
[sourcetype::XYZ]
TRANSFORMS-ABC = a_B_C
I tried pushing this to the indexers to populate the extraction, but it is not working.
Also, the regex works in Search Time Extractions when i use it from the Search Head using a |rex "" command.
Please help.
↧