Hi. I have below raw event/s.
Highlighted Syntax:
{ [-]
body: {"isolation": "isolation","device_classification": "Network Access Control","ip": "1.2.3.4", "mac": "Unknown","dns_hn": "XYZ","policy": "TEST_BLOCK","network_fn": "CounterACT Device","os_fingerprint": "CounterACT Appliance","nic_vendor": "Unknown Vendor","ipv6": "Unknown",}
ctupdate: notif
eventTimestamp: 1739913406
ip: 1.2.3.4
tenant_id: CounterACT__sample
}
Raw Text:
{"tenant_id":"CounterACT__sample","body":"{\"isolation\": \"isolation\",\"device_classification\": \"Network Access Control\",\"ip\": \"1.2.3.4\", \"mac\": \"Unknown\",\"dns_hn\": \"XYZ\",\"policy\": \"TEST_BLOCK\",\"network_fn\": \"CounterACT Device\",\"os_fingerprint\": \"CounterACT Appliance\",\"nic_vendor\": \"Unknown Vendor\",\"ipv6\": \"Unknown\",}","ctupdate":"notif","ip":"1.2.3.4","eventTimestamp":"1739913406"}
I need below fields=value extracted from each event at search time. It is a very small dataset:
isolation=isolation
policy=TEST_BLOCK
ctupdate=notif
ip=1.2.3.4
ipv6=Unknown
mac=Unknown
dns_hn=XYZ
eventTimestamp=1739913406
Thank you in advance!!!
