I want to extract a field which is uuid format and name it `instanceid`.
props.conf settings
EXTRACT-fields_5 = \[[i]nstance:\s+(?P[0-9a-f]{8}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{12})
For logs like ...
2017-01-01 00:00:00.000 99999 INFO xxxxxxxxxxxx [-] [instance: 01234567-89ab-cdef-0123-456789abcdef] Instance destroyed successfully.
However, it works for some events but it doesn't for some other events.
When I changed the field name to `nstanceid` or `istanceid` in regex, it works for all events. I don't know what's wrong with the field name `instanceid`.
OTOH, `rex` command with above regex (field name is `instanceid`) works well.
Would somebody give me the reason why??
↧