I’m not sure they pay you enough for posts like this @gsmith!
I thought about using the key_value() function with the data but only specific fields are desired.
(On a side note it helps a LOT if you post the text of the message rather than a picture, it gives others something to play with for the answer…)
With regex it would be more efficient to have a single search and use the grouping to pull out the things you want… something like this:
rule "Extract multiple fields"
when
has_field("message")
then
let BatSignals = regex("srcport=(\\S+).*proto=(\\S+).*srcintf=(\\S+)", to_string($message.message));
set_field("srcport", BatSignals["1"]);
set_field("protocol", BatSignals["2"]);
set_field("sourceInterface", BatSignals["3"]);
end