Hello!
We have index with cisco events and now we need to parse some fields such as device_mac and device_name. But we can't do it by regex because we get unstructured data from cisco (fields are swapped).
For example in this log first there is device type, and after mac
And the next one comes first mac, and after device type
Could you please help me? How i can parse this fields?
Thanks!
Use two rex commands
| rex "device-type=(?<devicetype>[^,]+)"
| rex "device-mac=(?<devicemac>[^,]+)"
Unless I'm missing something, the fields are labeled so parsing is trivial. KV_MODE=auto should do it at index-time. Or use a separate EXTRACT statement in props.conf for each field. Or use a separate rex command for each field in SPL.
Could you please give extract syntax to add device-type and device-mac to props.conf
EXTRACT-mac = device-mac=(?<deviceMac>[^,]+)
EXTRACT-type = device-type=(?<deviceType>[^,]+)
Use two rex commands
| rex "device-type=(?<devicetype>[^,]+)"
| rex "device-mac=(?<devicemac>[^,]+)"
Could you please explane wrehe i need to use this command?
In your SPL search query.
Can I use this command in source type? Or maybe another command
Thanks!
But i have one more question
How i can save this fields to not in search rex commands? I mean how to auto extract this to fields witout rex commad.