I have the following issue
I have two types of logs: A & B
A & B are from the same Index, have the same source type and same source (wish of the Client)
BUT they differ in two aspects:
1) the one contains the value "cisco_aaa" and the another "cisco_bbb"
2) log A has the structure FIELDNAME=VALUE (for allffileds)
log B has the structure FIELDNAME = VALUE\ (for all fields)
since they belong to the same sourcetype i have no idea how to delete this \ after the value
1)split them in two different sourcetypes, apply regex in props.conf
You could run a SEDCMD in props.conf that log file name.
Something like this to replace any backslash with nothing.
[source::..path/to/logb/logb.log] SEDCMD-logbslash = s/\\//g
Then in theory the field extractions for Log A would work
You can test the sed command in search with a
Thank you very much.
1) I suppose changing the props.conf will cause changes on all fields?
2)i tried the rex command
index =aaa |rex field=AuthorizationPolicyMatchedRule mode=sed "s/\//g"
I get an error:
Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string.
You may have to experiment with the sed string a little to get it to work. I'm no master at it myself.
I tried this on my searches, which worked.
| rex mode=sed field=_raw "s/\\\//g"
Search snippet before sed.
Can you provide some sample (obfuscated) data for each type of log? If you don't mind actually changing the events, it can be done in
props.conf to make them look the same, but it will take seeing actual data to provide you with that answer.
Log A, as you can see some field values contain \ at the end some not:
Sep 17 09:32:55 255.255.255.33 Sep 17 09:32:55 serverABC Log_A INFO OperatingSystem=Windows, EndpointCertainityMetric=50, EndpointIPAddress=x.x.x.22\, EndpointMacAddress=aa:x:x:x:x:aa, RadiusPacketType=AccessRequest\ DestinationIPAddress=x.x.x.44\
Log B, just a normal log
Sep 17 09:32:55 255.255.255.34 Sep 17 09:32:55 serverDEF Log_B INFO SelectedAccessService=XXX, SelectedAuthorizationProfiles=YYY, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed...