Solved: Re: Field extraction using Field Extractor

gcusello · ‎10-17-2016

Hi at all,
I would extract a field as a part of source field and I know how to do this using rex command

| rex field=source "myregex"

but I'd like to configure this field once and not in all my searches.
I tried putting in field extractor

field=source "myregex"

but there's something wrong!

Anyone has any idea?

Bye.
Giuseppe

TStrauch · ‎10-17-2016

Hi,

try this. You cannot use the "Field Extractor" for this. Need to Settings --> Fields --> Field extractions --> New

"myregex" in source

looks something like this then.

(?<newfield>.*) in source

regards

View solution in original post

TStrauch · ‎10-17-2016

Hi,

try this. You cannot use the "Field Extractor" for this. Need to Settings --> Fields --> Field extractions --> New

"myregex" in source

looks something like this then.

(?<newfield>.*) in source

regards

gcusello · ‎10-17-2016

Perfect: without double quotes!
Thank you.
Bye.
Giuseppe

richgalloway · ‎10-17-2016

The field extractor looks in the entire event. It's equivalent to rex field=_raw "myregex". You'll have to adjust your 'myregex' string to extract the desired field from the whole event.

---
If this reply helps you, Karma would be appreciated.

gcusello · ‎10-17-2016

yes I know, but source field isn't in _row.
Bye.
Giuseppe

Field extraction using Field Extractor

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...