How to test field value using regex? in favor to determ if extractor has to run

Templates and Rules Exchange Miscellaneous
1

I am building extractors to parse an alarmlog with comma separated fields.

Depending on field values I need to use a a different extractor. So I use the only execute extractor if regex is true field.

However that is easy if you would like e.g. if the string starts with “someword”, but complicated if you need to check the value of a certain field.

So I hope someone can help. What I need is the following:

  • assume the input string / field is like this ,,,, etc
  • I want to check the value of field “3”
  • and I want to check if the content is ‘fruit’
  • or want to check the opposite want to check if the content <>‘fruit’

As described the intention is that the regex de terms if the extractor should run.

Louis
PS I would love to see an extractor run check based on a previously extracted field, but that option is not there :hot_face: :hot_face:

2

Hello @louis,

It sounds like this kind of parsing would be better placed utilising pipelines/rules, would the below example or something similar work for your example?

when
regex("your*regex?", to_string($message.message)).matches == true
then
let pf = split(pattern:" ", value: to_string($message.message));
set_field("date",pf[0]);
set_field("time",pf[1]);
set_field("action",pf[2]);
set_field("protocol",pf[3]);
set_field("src-ip",pf[4]);
set_field("dst-ip",pf[5]);
set_field("src-port",pf[6]);
set_field("dst-port",pf[7]);
set_field("size",pf[8]);
set_field("path",pf[16]);
end