extractor chaining

Follow
Avatar
Aaron Moses

Is it possible to chain field extractors?

I'm trying to conditionally extract fields from the url field already extracted from the log, when the url matches a certain pattern. I'm currently hoping to chain a field extractor using the where operator to filter the log entries to another field extractor that does the general extraction (extracting the url field). I'm open to other approaches to solve this problem.

1

Comments

1 comment

Sort by Date Votes
  • Avatar
    Latimer Luis

    Here's a question: Do you need to keep the URL's that don't match the pattern that you're looking for? If so, then some sort of nodrop would be needed, which makes the query a little more complicated to write.

    Below is an example of what can be done to achieve what you're looking for.  

    _sourceCategory=Apache/Access GET
    | parse "GET * HTTP/1.1\" * *" as url,status_code,bytes
    | parse field=url "*your_string*" as before,after nodrop
    | concat(before,"your_string",after) as new_field
    | parse field=new_field "*/*.*" as path,file,extension nodrop
    | fields -before,after,new_field //exclude the fields you don't need displayed

    If all you care about are the events containing this string, then the following should work and will perform better as well (notice the new keyword in the first line of the search): 

    _sourceCategory=Apache/Access GET "your_string"
    | parse "GET * HTTP/1.1\" * *" as url,status_code,bytes
    | where url matches "*your_string*"
    | parse field=url "*/*.*" as path,file,extension

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post