I have a field 'foo', it has a value like "data1_data2"
I'd like to make an Extracted Field that starts with the contents of 'foo', instead of the entire raw event
is that possible?
You may wish to keep in mind that if the field is an auto-extracted field, the extraction in the props.conf will need to be done on the raw data.
In other words if your data looks like: key=value key2=value3 key3=value3
A field extraction using the "in" keyword in the props.conf file such as: EXTRACT-field3 = [A-Za-z]+ in key3
Will not work as expected as the key/key2/key3 fields are not index time fields, they are search time only.
Information about it at - Extract fields using regular expressions
Maybe change -
... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
to - ... | rex field=foo "From: (?<from>.*) To: (?<to>.*)"
... | rex field=foo "From: (?<from>.*) To: (?<to>.*)"
