Parsing second field if it is in message

Comments

1 comment

  • Avatar
    Brian Jahng

    Arno, you could use two parse statements with the second one overwriting the first if it exists:

    | parse "SRC=* DST=* " as src_ip, dst_ip
    | parse "[SRC=* DST=* " as src_ip, dst_ip nodrop

    Hope that helps!

    0
    Comment actions Permalink

Please sign in to leave a comment.