I have created and extracted field as in the attachment, its to extract the username which was locked out. Its working correctly, as in the dark green section is correct and the lighter green covers the correct pre and post rules. In fact I copied the method used for another field from the content pack so it should work!
The issue here is that after saving the rule, the field never shows up with the correct logs.
any idea what may be causing this?
Yes there is an issue with \n in pre or post context , simply replace it with \s+ and it should work.
Yes there is an issue with \n in pre or post context , simply replace it with \s+ and it should work.
Thank you Yogita