I am trying to source a way to only perform a certain set of extractions on the "Message" field, when EventCode=4265 (e.g).
Anyone has any clue? I don't want to apply the extraction directly on each event, as it may cause performance issue.
you can do the following
index=windows_events EventCode=4265 | rex "your_regex"
you can use erex to help you in building regex as per the following
index=windows_events EventCode=4265 | erex Message examples="error,login"
Yes that can be done, run the query on search
Then at the bottom of Fields bar (on left down corner of web interface)
press Extract New Fields
select any sample event
mark 4265 # the value of Event code we want to add to the regex
a menu will appear, select Require, then Add Required Text
mark the part pf the message you want to extract
a menu will appear, select Extract, provide Field Name, then Add Extraction
The generated regex will be added to props.conf