I'm looking for transforms and props.conf to get the two fields act and action
index=blue_sec sourcetype=rsa:security_analytics |rex field=_raw "act=(?[^\"]+)\sspt="| makemv delim="," act| stats values(act) AS action by _raw |rex field=_raw "act=(?[^\"]+)\sspt=" | table act,action
HI raghuchams4527, did you tried to extract your fields using the Field Extractor? You can use your regexes.
Otherwise, you can go in fields section and create a new field using your regexes.
To better help you, could you use the Code Sample button to display your regexes? without it it isn't possible to correctly see your regex.
Bye. Giuseppe
Thanks for the suggestion. I'm looking for the transforms how to write makemv delim and stats command in props and transform.
HI raghuchams4527, if you want, you can create a macro with your commands, this is useful if you think to reuse your search. Bye. Giuseppe
how to create a macro?
HI raghuchams4527, go in Settings -- Advanced Search -- Search macros -- Add new and then copy your commands or part of them. Bye. Giuseppe
HI raghuchams4527, if you're satisfied by this answer, please accept and/ot upvote it. Bye. Giuseppe
thanks cusello
What are you trying to do? I see you're using rex to extract fields but they don't have names. Also, whats your purpose for wanting to use transforms and props?
rex
Actually i put the name for rex but its not displayed on the result. (?)
I want to extract act and action fields. If you remove the stats command im not getting the unique values from action field.
the values i'm looking act = GET,POST,GET,GET,GET,GET,POST,POST action = GET POST
