For those who use a syslog with mikrotik and wish to have sawmill parsing (Mikrotik V6) I have the following regex.
You need to modify the file mikrotik_router.cfg under \program files\sawmill n\LogAnalysisInfo
Autodetect line
log.format.autodetect_regular_expression = “[a-z,]+ *: [a-z]+:”
Parse line
if (matches_regular_expression(v.syslog_message, ‘[1]+ ([^ ]+) [^:]+: [a-z]+:([^ ]+) [a-z]+:([^,]+), [^,]+, proto ([A-Z]+) [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+)->([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+), [^,]+, len ([0-9]+)’)) then (
This assumes a prefix when you log and the ‘type’ field will be set to this prefix
a-z, ↩︎