Hi
I have the following event record. I need to create a field extraction on field called openports that is having multiple values highlighted in bold. How do I do this :
2016-12-01T14:34:26.315202-06:00 XXX.xxx.xxx.xxx CounterACT[1762]: admission=New Host; hostname=xxx.xxx.xxx.xxx; ad_displayname=User; banner=Unknown; onsite=Yes; online=Yes; ip=xx.xxx.xx.xx; ad_name=User; latest_ioc_date_sensitivity=Low Severity: #012Medium Severity: #012High Severity: #012Critical Severity: ; atc_scan_details=Scan Start Time: #012Scan Duration (seconds): #012Scan Status: Never scanned#012Scan Errors: ; mac=Unknown; mac_colon=Irresolvable; mac_dash=Irresolvable; group=Windows; nic_vendor=Irresolvable; nic_vendor_string=Irresolvable; netfunction=Windows Machine; openports=22/TCP, 135/TCP, 21/TCP, 80/TCP, 137/UDP, 3389/TCP;
Any help will be greatly appreciated
Thanks,
Obaid
try if openports
is not already extracted:
your query
| rex field=_raw "openports\=(?<openports>[^;]+)"
| rex field=openports max_match=0 "(?<port>[\d]+)\/(?<protocol>[^,\s]+)"
| table values(port)
If it's already extracted then remove the first line | rex field=_raw "openports\=(?<openports>[^;]+)"
and if depending on the last character if your earlier extraction caught ;
as well then add additional exlusion in [^,\s]
to make it [^,;\s]
Thanks gokadroid for you input, could you please help me do an automatic extraction for this field openports