Hi, I’m trying to extract part of a file path from a log message into its own field.
E:\Network_PSTranscript\20221212\PowerShell_transcript.HOST-NAME.9oeXqxIz.20221212144458.txt
Example message above, I want to extract just the “HOST-NAME” rules I’ve tried I end up with just the part after the - not the entire string.
Hello && Welcome @David_W
Can you give us some more information on what you did and/or your environment?
Hi, I managed to actually get it working after playing with it some more. Next question can I actually use the extracted data to overwrite the source field instead of creating a new field for it?
Hey,
The source field will be there by defualt. I think you can maniply the dta in the source field with a pipeline. If not then yes you will need to create a new field. I think i have a pipeline for that somewhere, when i find it ill post it here.
EDIT: I do belive youll need to make a new field, the source field maybe hard coded.
here is an example.
rule "Attach NodID to Messages"
when
has_field("gl2_source_node") AND contains(to_string($message.gl2_source_node), "0e68c48b-29cc-4085-a2ca-bc700fcf82da")
then
set_field("node_name","graylog.domain.com");
end
Perhaps post what you have then what want and other here could help you.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.