In \etc\system\local\props.conf I have the following entry
[Apache-registrant-forward]
FORMAT = client_ip::$1 user::$2 profile::$3 timestamp::$4 url::$5 http_status::$6 bytes::$7 user_agent::$8 processing_time_ms::$9 registrant::$10 forward_for::$11
NO_BINARY_CHECK = 1
REGEX = ^([0-9\.]+) ([0-9\-]*) ([0-9\-]*) (\[[^\]+\]) ("[^"]+") ([0-9\-]+) ([0-9\-]+) ("[^"]+") ([0-9]*) ("[^"]+") ([0-9\.]+)
REPORT-access = access-extractions
SHOULD_LINEMERGE = true
TIME_PREFIX = \[
maxDist = 28
pulldown_type = 1
In the search app I have
sourcetype="Apache-registrant-forward"
The data looks like
1.1.1.1 - - [24/Apr/2013:15:47:11 +0200] "GET /somerest HTTP/1.1" 200 12345 "-" "some useragent" "1234" 111.222.333.444
1.1.1.2 - - [24/Apr/2013:15:47:11 +0200] "GET /somerest HTTP/1.1" 200 78910 "-" "some useragent" "5678" 222.333.444.555
1.1.1.1 - - [24/Apr/2013:15:47:11 +0200] "GET /somerest HTTP/1.1" 200 28356 "-" "some useragent" "2345" 333.444.555.666
e.g. the client_ip is the proxy and the forward_for is the original IP
Question: No matter what I do, I cannot see the registrant in the search interface: