Hi All,

We have endpoint logs by default logs are in JSON format field which are auto extracted however we have two field name Protocol(tcp,udp etc) and RemotePort(443,8080 ,53 etc) . Actually we want dest_port=Protocol/RemotePort Example output tcp/443.

Sample log


Can we use existing extracted fields which are Protocol and RemotePort somehow map with desired field which is dest_port=Protocol/RemotePort or kindly help me to extract the field value.

Thanks in advance

hello there,

you can create a string from both fields.
something like this:
... | eval combined = Protocol. "/" .RemotePort" ...
try this search anywhere:

| makeresults count=1 
| eval data="TCP,8000 UDP,514 TCP,9997 UDP,1514"
| makemv delim=" " data
| mvexpand data
| rex field=data "(?<Protocol>\w+),(?<Port>\d+)"
| fields Port Protocol
| eval combined = Protocol. "/" .Port

hope it helps

