Created an extractor with a regular expression: ((?>\d\d){1,2}\p{Z}(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\p{Z}(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])\p{Z}(?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9]))
Screen shots are nice but posting the text of the message would be helpful too it allows us to take the text and the regex to here and play with it to see if there are issues ( you can too if you like!) . My first though it you could uncomplicate this a lot by using a GROK extractor rather than regex - you can use this site to test out GROK against a message… The nice thing about GROK is you can shorten up to be:
\<\d+\>%{YEAR} %{MONTH} %{MONTHDAY} %{TIME}
Which is much easier to conceptualize and the underlying regex has been worked out…
Did you try GROK? Did you try your message against regex1010? You didn’t post a sample message to work with so I can’t play with it - yes it’s a short message but I am lazy. Try creating a new field first with a different name first - as @gsmith suggests - just to work on getting the regex/GROK to work properly.
Try creating a new field first with a different name first - as