Parsing based on condition

Follow

Swapnil Modak

• July 30, 2020 16:40

Hi,

I want to parse fields on condition type, like below example

1) type = waf, attack_type=Information Leakage, date_time=2020-07-30 16:18:59, dest_ip=107.162.156.47, dest_port=443, geo_location=GB

2) type = ipi, action=Drop, attack_type=custom_category, date_time=Jul 30 2020 16:18:57, errdefs_msg_name=IP Intelligence Event, errdefs_msgno=23003142

Both are part of same source, so if type = waf then parse differently then type =ipi,

 

I tried below but it's not working,

 

_sourceCategory="Test"| parse "type = *," as Type1 nodrop| if(Type1="ipi", parse " errdefs_msg_name=" as errdefs_msg_name, "")

0

• Official comment

  

  Nathan Beltran

  • August 13, 2020 18:39

  Hi Swapnil,

  I see that you have opened a ticket with support for this. As mentioned in the ticket the parse statement is not an available condition with the "if" operator.
  
  One option you might want to look at is using the join or transaction operator.
  
  https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/join
  https://help.sumologic.com/05Search/Search-Query-Language/Transaction-Analytics/Transactionize-operator

  Regards,

  Nathan 

   

  Comment actions Permalink

Please sign in to leave a comment.