i want to split my meessage and create a dashboard i just need the part of dimhost.exe as example
L’accès à C:\Users\rlugassy\AppData\Local\Temp\84A0F7C0-F2D2-4159-81FD-FB32FFE1F8EF\dismhost.exe a été restreint par votre administrateur par le niveau de stratégie de restriction du logiciel.
You would want to run a grok extractor on the field conatining this data. Something such as:
^%{DATA:UNWANTED}\%{URLENDING:FIELDNAME}\s%{DATA:UNWANTED}.$
Please note the use of the data grok pattern is not advised, use this templated to build/use grok that is more specific for this use case. For example you could use a grok pattern for words instead of the third data grok.
In this case the regex:
\w+.\w+
would work for the ending of the URL, it may need to be altered for other use cases.
hi how can i use it cause i’m knew on graylog
Read this: http://docs.graylog.org/en/2.4/pages/extractors.html
I’d suggest you read it all, but focus on the Grok extractors as you will need to use them.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
