Hello, guys
I`m trying to extract URL field from my log in Data Model (it is not extracted from _raw log and is not seen via index). I have found some variants in similar topics and added a new field (with regular expression) to Data Model. It does not cover 100% of my events, but it works.
However, I still don`t see this field when run the command
| from datamodel Network_Traffic
2 questions:
1) Can anyone answer me why the field is still not seen when whiting the search
| from datamodel Network)Traffic
Because the "Preview" tab shows the results and URLs are extracted
2) Maybe you know how I can extract the field URL directly from _raw event, because I`m confused with all answers which I saw about this topic before.
Tranks in advance
can you check your regex used to extract url once ?
apply same regex using rex command to see if that is working or not.
yes, the search works fine, but if I add this rex to extract a field "URL" in datamodel, the new field doesn`t appear