I want to parse fields on condition type, like below example
1) type = waf, attack_type=Information Leakage, date_time=2020-07-30 16:18:59, dest_ip=126.96.36.199, dest_port=443, geo_location=GB
2) type = ipi, action=Drop, attack_type=custom_category, date_time=Jul 30 2020 16:18:57, errdefs_msg_name=IP Intelligence Event, errdefs_msgno=23003142
Both are part of same source, so if type = waf then parse differently then type =ipi,
I tried below but it's not working,
_sourceCategory="Test"| parse "type = *," as Type1 nodrop| if(Type1="ipi", parse " errdefs_msg_name=" as errdefs_msg_name, "")
Please sign in to leave a comment.