Hi, I’m trying to extract part of a file path from a log message into its own field.
E:\Network_PSTranscript\20221212\PowerShell_transcript.HOST-NAME.9oeXqxIz.20221212144458.txt
Example message above, I want to extract just the “HOST-NAME” rules I’ve tried I end up with just the part after the - not the entire string.
Hello && Welcome @David_W
Can you give us some more information on what you did and/or your environment?
Hi, I managed to actually get it working after playing with it some more. Next question can I actually use the extracted data to overwrite the source field instead of creating a new field for it?
Hey,
The source field will be there by defualt. I think you can maniply the dta in the source field with a pipeline. If not then yes you will need to create a new field. I think i have a pipeline for that somewhere, when i find it ill post it here.
EDIT: I do belive youll need to make a new field, the source field maybe hard coded.
here is an example.
rule "Attach NodID to Messages"
when
has_field("gl2_source_node") AND contains(to_string($message.gl2_source_node), "0e68c48b-29cc-4085-a2ca-bc700fcf82da")
then
set_field("node_name","graylog.domain.com");
end
Perhaps post what you have then what want and other here could help you.