We are ingesting Exchange message trace logs and the username is not being pulled correctly. Reviewing the default/props.conf file I see the following field extraction:
EXTRACT-user = ^(?:[^"\n]*"){7}(?P\w+)
An Exchange message trace example is as follows:
{"EventReceivedTime":"2019-06-27 11:00:44","SourceModuleName":"EXCHGETMESGTRACEPRD","SourceModuleType":"im_file","MessageId":"","Received":"6/27/2019 10:48:21 AM","SenderAddress":"pthurmond@ncmstl.com","RecipientAddress":"user@blah.blah.edu","Subject":"RE: Information Request","Status":"Delivered","FromIP":"1.1.1.1","Size":"118216"}
I tested a new regex (below) against sample Exchange message trace events and it's pulling the username from the correct location:
^(?:[^"\n]*"){23}(?P\w+)
My plan is to comment out the regex in the default/props.conf file, then create a new local/props.conf file in the local directory for the add-on and then push via my Deployment servers to my deployers servers and from there down to the two SH clusters I have.
Just wanted to throw this up to have someone double check my process to make sure that a) I'm not missing any steps and b) verify that when I search the Exchange message trace events no matter the time range, the user field will be populated with the correct values
Thx
↧