What should I do with the spl?

minpd0309 · ‎02-22-2023

HI! I want to make the log below in the form of the table below. What should I do with the spl?

[Log ex.]
[2023.01.23] TYPE : UPDATE, USER : master, [ ID : jenny, TYPE- AUTH : AB, O, B, A]

[table]

USER

ID

TYPE-AUTH

master

jenny

AB

O

B

A

I did SPL as below, and the dashboard comes out as below.
HELP ME PLZ... T. T

[SPL]
| rex field=TYPE-AUTH max_match=0 "(?P<type_auth>\w+)"

USER	ID	TYPE-AUTH
master	jenny	AB

minpd0309 · ‎02-22-2023

HI! @ITWhisperer I only set the rex!
Do you need any additional settings?~

ITWhisperer · ‎02-22-2023

It looks like your TYPE-AUTH field has not been extracted as you expected. How have you defined the extraction for this field?

minpd0309 · ‎02-22-2023

Please let me know if there is anything else I need to set up.

My English is weird because I turned on the translator.

minpd0309 · ‎02-22-2023

HI! @ITWhisperer I only set the rex!
Do you need any additional settings?~

ITWhisperer · ‎02-22-2023

Assuming your events look exactly like your example, you probably need to extract the TYPE-AUTH field again.

| rex "TYPE-AUTH\s*:\s*(?<TYPE_AUTH>[^\]]"
| rex field=TYPE_AUTH max_match=0 "(?P<type_auth>\w+)"

minpd0309 · ‎02-22-2023

USER	ID	TYPE-AUTH
master	jenny	A

I modified it to the SPL you told me, but DASHBOARD comes out as below! T. T

ITWhisperer · ‎02-22-2023

Change your dashboard to use type_auth or assign the value from this field to TYPE-AUTH

| eval TYPE-AUTH=type_auth

Join the Conversation