I'm trying to put into practice what I saw in Michael Wilde's Regex video with regards to making rex searches persistent. I must be missing something because I'm not getting the results I'm after.
(with help from many folks here) I've built a search regex like so. It works perfectly from search:
^(?:\S*\s*){5}(?<hostname>\S*)[^%]*(?<alert>%\S+)
Now, I'm trying to make it persistent by adding those search elements to /local copies of props.conf and transforms.conf.
Since this syslog search is geared mostly towards Cisco syslog output, I see that there is a cisco_syslog stanza in props.conf that I think I can use:
[cisco_syslog]
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
I copy the entry from default/props.conf and add it to local/props.conf and add the changes:
[cisco_syslog]
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions,syslog-cisco
I add the corresponding stanza to local/transforms.conf:
[syslog-cisco]
REGEX = ^(?:\S*\s*){5}(?<hostname>\S*)[^%]*(?<alert>%\S+)
FORMAT = hostname::$1 alert::$2
Issue the | kv reload=true and change my search sourcetype=syslog, which I'd expect to at least show the new fields in the field picker, but alas, it does not.
Can anyone point me to what I might have missed?
With gratitude, L:x