Split message and create dahsboard


(Achrafbsecure) #1

i want to split my meessage and create a dashboard i just need the part of dimhost.exe as example

L’accès à C:\Users\rlugassy\AppData\Local\Temp\84A0F7C0-F2D2-4159-81FD-FB32FFE1F8EF\dismhost.exe a été restreint par votre administrateur par le niveau de stratégie de restriction du logiciel.


(GT) #2

You would want to run a grok extractor on the field conatining this data. Something such as:

^%{DATA:UNWANTED}\%{URLENDING:FIELDNAME}\s%{DATA:UNWANTED}.$

Please note the use of the data grok pattern is not advised, use this templated to build/use grok that is more specific for this use case. For example you could use a grok pattern for words instead of the third data grok.

In this case the regex:

\w+.\w+

would work for the ending of the URL, it may need to be altered for other use cases.


(Achrafbsecure) #3

hi how can i use it cause i’m knew on graylog


(GT) #4

Read this: http://docs.graylog.org/en/2.4/pages/extractors.html

I’d suggest you read it all, but focus on the Grok extractors as you will need to use them.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.