field extractions on csv log lines
I get the fields I need using the following search: _sourceCategory=london_syslog_palo ",THREAT," | split _raw delim=',',quote='"' extract 1 as syslog_header, 2 as recvTime,3 as serialNum,4 as type, 5 as subtype,6 as f1,7 as genTime,8 as src_ip,9 as dest_ip,10 as natsrc_ip,11 as natdest_ip,12 as ruleName,13 as src_user,14 as dest_user,15 as app,16 as vsys,17 as src_zone,18 as dest_zone,19 as ingress_if,20 as egress_if,21 as logProfile,22 as f2, 23 as sessionID,24 as repeatCnt,25 as src_port,26 as dest_port,27 as natsrc_port,28 as natdest_port,29 as flags,30 as protocol,31 as action,32 as url_filename,33 as threatid,34 as category,35 as severity,36 as direction,37 as seqNum,38 as action_flags,39 as src_loc,40 as dest_loc,41 as f3,42 as content_type,43 as pcap_id,44 as filedigest,45 as cloud_type,46 as f4,47 as user_agent,48 as filetype,49 as xff,50 as referer,51 as sender,52 as subject,53 as recipient,54 as reportID However I need to put it into a field extraction rule, but I get an error. Your rule cannot be saved: Invalid parse expression I add the parse operator like "parse _raw as csvline | split csvline etc etc etc" but get the same error. How do I get this as a field extraction? Thanks
-
M B, the split operator is currently not supported in Field Extraction rules. Please find here a list of supported operators: http://help.sumologic.com/Manage/Search_Optimization_Tools/Manage_Field_Extractions/Create_a_Field_Extraction_Rule In this case we would use the parse operator (pseudo code): _sourceCategory=london_syslog_palo ",THREAT," | parse "*,*,*[etc]" as syslog_header, recvTime, serialNum, [etc] Hope this helps Olaf
Please sign in to leave a comment.
Comments
1 comment