Sumo Logic allows you to parse on previously extracted fields, or initial parsing on a metadata field value (_collector, _source, etc..) using the additional parse syntax of field=<field_name>. This additional syntax is available with the standard Parse as well as the Parse Regex operations.
Syntax:
| parse field=<field_name> "start_anchor*stop_anchor" as fieldname
| parse regex field=<field_name> " start expression(?<fieldname>field expression) stop expression"
Examples:
Sample log message:
Aug 2 04:06:08: host=10.1.1.124: local/ssl2 notice mcpd[3772]: User=jsmith@demo.com: severity=warning: 01070638:5: Pool member 172.31.51.22:0 monitor status down.
First, we'll use a parse statement such as the following to get the User from the log message, which will return a field called user_email with a value of jsmith@demo.com:
| parse "User=*:" as user_email
Now that we have this field, we want to additionally parse out just the name and domain from the email address. We can do this by adding the additional syntax of fields=<field_name> to a follow-up parse operation:
| parse "User=*:" as user_email
| parse field=user_email "*@*" as user_name, domain
The result of the above query would be:
|
user_email |
user_name |
domain |
|
jsmith@demo.com |
jsmith |
demo.com |
The fields=<field_name> syntax is not just limited to fields that have been specifically parsed from the logs. This syntax can also be used to parse the predefined metadata fields such as _collector, _source, _sourceName, etc.. For example if we have a long list of Collectors all with the same naming format of HostName_10.10.10.1 we can parse this metadata field value to just get the IP address.
parse field=_collector "HostName_*" as host_ip
Comments
0 comments
Please sign in to leave a comment.