I created a query to parse data using Field Extraction Rules. I have managed to create the aforementioned FER that gets two simple fields called "src" and "dst".
When I get to the query, I split this down further using the "split" function on the delimiter ":".
| split dst delim=':' extract dst_ip, dst_port, dst_int
| split src delim=':' extract src_ip, src_port, src_int
| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
| where dst_ip contains "172.19." and type="ip_address" and !isNull(malicious_confidence) and malicious_confidence in ("high", "medium") and msg contains "Opened"
| if (isEmpty(actor), "Unassigned", actor) as Actor
This works, but it generates a warning for both the src and dst fields: "Field dst missing from stream tuple".
What could be causing this and how to resolve it?
We need to check all loglines and make sure that
dst fields are extracted. This issue normally happens when some of those might not match the FER and that would cause these fields to be missing on some tuples.
You can use the isBlank, isNull, or isEmpty operator to check for the log lines that don't have those values against these fields.
For ex: "where isBlank(dst)"