Extractors not showing in all fields


(Bob Gizynski) #1

Example message
oratst01 audit_log: type=SYSCALL msg=audit(1523563770.592:72523244): arch=c000003e syscall=82 success=yes exit=0 a0=7f043000f910 a1=7f043000fe50 a2=7f043000fe50 a3=442f676e69646e65 items=4 ppid=11580 pid=19953 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=15056 comm=“java” exe="/u01/oracle/product/agent/agent_13.2.0.0.0/oracle_common/jdk/bin/java" key=“delete”
Wrong example? You can .
Extractor configuration
Extractor type
Regular expression

Source field
message

Regular expression

^(.+)audit_log
The regular expression used for extraction. First matcher group is used. Learn more in the documentation.
Extractor preview
oratst01
Condition
Always try to extract
Only attempt extraction if field contains string
Only attempt extraction if field matches regular expression
Extracting only from messages that match a certain condition helps you avoiding wrong or unnecessary extractions and can also save CPU resources.
Store as field
hostname
Choose a field name to store the extracted value. It can only contain alphanumeric characters and underscores. Example: http_response_code.
Extraction strategyCopyCut
Do you want to copy or cut from source? You cannot use the cutting feature on standard fields like message and source.
Extractor title
linux-auditd-hostname
A descriptive name for this extractor.
Add converter
Select a converter
Add converters to transform the extracted value.

See this extractors is being recognized, but it doesn’t show in all fields.

Is this a bug ?


(Jochen) #2

Please provide some screenshots and a clear formulation what you want to achieve and what doesn’t work.


(Bob Gizynski) #3

I think I fixed the issue.

Thanks for your response !!


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.