Re: How to configure additional extractions on the...

junxianli · ‎01-27-2015

Hi all,

I am trying to source a way to only perform a certain set of extractions on the "Message" field, when EventCode=4265 (e.g).

Anyone has any clue? I don't want to apply the extraction directly on each event, as it may cause performance issue.

aakwah · ‎01-27-2015

Hello,

you can do the following

index=windows_events EventCode=4265 | rex "your_regex"

you can use erex to help you in building regex as per the following

index=windows_events EventCode=4265 | erex Message examples="error,login"

Regards,
Ahmed

aakwah · ‎01-27-2015

Yes that can be done, run the query on search

index=windows_events EventCode=4265

Then at the bottom of Fields bar (on left down corner of web interface)
press Extract New Fields
select any sample event
click Next
mark 4265 # the value of Event code we want to add to the regex
a menu will appear, select Require, then Add Required Text
mark the part pf the message you want to extract
a menu will appear, select Extract, provide Field Name, then Add Extraction
click Next
validate results
save

The generated regex will be added to props.conf

Regards,
Ahmed

junxianli · ‎01-27-2015

Any ways to perform it via props.conf, transforms.conf or other .confs, instead of doing it within the search string?

How to configure additional extractions on the "Message" field based on EventCode for WindowsEvent?

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!