- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkorlat
Explorer
04-05-2016
12:34 AM
I'm trying to extract a field called Item_Name using the file props.conf on the search head. I'm currently using this in the props.conf file which isn't working:
EXTRACT-Item_Name = (?<=Item Name:).(.*?).(?=suid=)
I would like to extract all the texts between Item Name and suid= into a field called Item_Name.
Below is the events
2016-04-05T13:10:12+10:00 AFVWS05 CEF: 0|Thycotic Software|Secret Server|8.9.030008|10040|SECRET - PASSWORD_COPIED_TO_CLIPBOARD|2|msg=[SecretServer] Event: [Secret] Action: [Password Copied to Clipboard] By User: internal.local\\ddonald Item Name: Service Account for SCCM (System Center Configuration Manager) Container Name: Miscellany suid=14 suser=internal.local\\ddonald cs4=internal.local\\Donald, David cs4Label=suser Display Name src=24.1.0.5 rt=Apr 05 2016 03:10:09 fname=Service Account for SCCM (System Center Configuration Manager) fileType=Secret fileId=345 cs3Label=Folder cs3=Miscellany
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-05-2016
08:31 AM
Give this a try
EXTRACT-Item_Name = Item Name:\s+(?<Item_Name>.+)\s+suid=
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-05-2016
08:31 AM
Give this a try
EXTRACT-Item_Name = Item Name:\s+(?<Item_Name>.+)\s+suid=
