topic Re: How do you write props and transforms for my below search? in Getting Data In

How do you write props and transforms for my below search?

raghuchams4527 — Fri, 21 Dec 2018 14:40:16 GMT

I'm looking for transforms and props.conf to get the two fields act and action

index=blue_sec sourcetype=rsa:security_analytics
|rex field=_raw "act=(?[^\"]+)\sspt="| makemv delim="," act| stats values(act) AS action by _raw  
|rex field=_raw "act=(?[^\"]+)\sspt=" | table act,action

Re: How do you write props and transforms for my below search?

skoelpin — Fri, 21 Dec 2018 15:42:51 GMT

What are you trying to do? I see you're using rex to extract fields but they don't have names. Also, whats your purpose for wanting to use transforms and props?

Re: How do you write props and transforms for my below search?

gcusello — Fri, 21 Dec 2018 15:47:43 GMT

HI raghuchams4527,
did you tried to extract your fields using the Field Extractor?
You can use your regexes.

Otherwise, you can go in fields section and create a new field using your regexes.

To better help you, could you use the Code Sample button to display your regexes? without it it isn't possible to correctly see your regex.

Bye.
Giuseppe

Re: How do you write props and transforms for my below search?

raghuchams4527 — Fri, 21 Dec 2018 16:02:59 GMT

I want to extract act and action fields. If you remove the stats command im not getting the unique values from action field.

the values i'm looking
act = GET,POST,GET,GET,GET,GET,POST,POST
action = GET POST

Re: How do you write props and transforms for my below search?

raghuchams4527 — Fri, 21 Dec 2018 16:04:01 GMT

Thanks for the suggestion. I'm looking for the transforms how to write makemv delim and stats command in props and transform.

Re: How do you write props and transforms for my below search?

gcusello — Fri, 21 Dec 2018 16:10:42 GMT

HI raghuchams4527,
if you want, you can create a macro with your commands, this is useful if you think to reuse your search.
Bye.
Giuseppe

Re: How do you write props and transforms for my below search?

raghuchams4527 — Fri, 21 Dec 2018 16:12:38 GMT

how to create a macro?

Re: How do you write props and transforms for my below search?

gcusello — Fri, 21 Dec 2018 16:17:27 GMT

HI raghuchams4527,
go in Settings -- Advanced Search -- Search macros -- Add new
and then copy your commands or part of them.
Bye.
Giuseppe

Re: How do you write props and transforms for my below search?

raghuchams4527 — Fri, 21 Dec 2018 16:21:31 GMT

thanks cusello

Re: How do you write props and transforms for my below search?

gcusello — Fri, 21 Dec 2018 16:28:57 GMT

HI raghuchams4527,
if you're satisfied by this answer, please accept and/ot upvote it.
Bye.
Giuseppe

Re: How do you write props and transforms for my below search?

raghuchams4527 — Fri, 21 Dec 2018 18:05:58 GMT

I want to extract act and action fields. If you remove the stats command im not getting the unique values from action field.

the values i'm looking
act = GET,POST,GET,GET,GET,GET,POST,POST
action = GET POST

Re: How do you write props and transforms for my below search?

raghuchams4527 — Tue, 29 Sep 2020 22:27:33 GMT

Re: How do you write props and transforms for my below search?

raghuchams4527 — Fri, 21 Dec 2018 18:08:31 GMT

Actually i put the name for rex but its not displayed on the result. (?)