We have updated our Terms of Service, Code of Conduct, and Addendum.

Extract Fields from raw

Rajneesh Shukla
Rajneesh Shukla Posts: 3
in General Discussions

In raw there is a field called origin="123456"

I want to extract this from the events

how can I do this?

Tagged:

Answers

  • Jon Rust
    Jon Rust Posts: 507 mod
    edited April 2024

    There are many ways. Easiest may be the Parser function. You could also use the Regex Extract function, or an Eval function with a regex pattern match inside it.

    I'd highly recommend you visit sandbox.cribl.io and Cribl University to begin your Cribl journey.

  • Rajneesh Shukla
    Rajneesh Shukla Posts: 3

    I have used Regex Extract to do this example -

    I have a event-

    raw: origin=123.123.123.123

    host: 233.233.233.233

    I want to make those fields host = origin, with the help of regex I extracted both origin and host which function will allow me to do this next.

    host = orgin

  • Jon Rust
    Jon Rust Posts: 507 mod

    You can use Rename to rename origin to host, or you can use Eval to set host = origin

    image.png

    image.png
  • Rajneesh Shukla
    Rajneesh Shukla Posts: 3

    Thanks Jon

Categories