How would you create a new field for example, color, by extracting the text from the value to an existing field, for example Message.
Message = The ball is red.
Problem
Want new field : color set to value = red
This is a Field Extraction Question
you can try this,
| makeresults
| eval _raw="Message=\"The ball is red\""
| kv | fields - _raw _time
| rex field=Message "\w+\s\w+\s\w+\s(?P<clr>.+)"
Try this:
... | rex "'(?<newFieldForCompanyName>[^']+)'[^']*$"
you will have to write a regex for instance your example-
|makeresults| eval x =" Message = The ball is red."
| rex field=x "\w+ = \w+ \w+ \w+ (?<string>\w+)"
Hi @hredd
By default fields/value pairs that are seperated by an equals or a full colon will typically be extracted automatically. If they aren't then you can try using | extract
like so:
| makeresults | eval _raw="color set to value = red" | extract
(this is just an example but substitute the first two sections with your normal search.
Otherwise you can do something like this:
| makeresults | eval _raw="color set to value = red" | rex field=_raw "value\s*=\s*(?<my_new_field>\S+)"
Hope you find this helpful
So this seems good for testing the regex, I guess I am looking for a more permanent solution.
As in every new search containing the new extracted field.
The example is as so:
Message : blah blah blah. blah blah. the file was approved by 'Microsoft'.
This company name changes and is sometimes not present.
The goal is to make, in this example, newFieldForCompanyName = Microsoft show up in every new search
Hi @hredd
After you run your search, expand an event that has the field in it. Then click the button that displays and select Extract new fields
. The wizard will guide you to create a permanent extraction that will run whenever anyone does a search.
All the best. Chris.