Hello, The field extractor stops at line 20. If what I am looking for is on a line after that what can I do to pull that information? I have looked for other threads to no avail. If one exists please by all means point me in that direction. Thanks ... View more

Hello, I have been trying unsuccessfully parse/filter the data from the message field: Message= Spyware/Grayware: HackTool.VBS.InviBat. AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required Specifically the bolded part. Essentially what I need to do is remove the "threat event" from Trend Micro logs coming into the SIEM. I was able to do this with the following string but the requirement changes in terms of what we are trying to do with these events once they are parsed/filtered (regex or the line you will see below assuming I even did that correctly). | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0,2) | table Short_Message I suspect the Spyware/Grayware may change but I would really like to get either both the segment containing Spyware/Grayware: "threat name" or just the "threat name" somehow. Once that is accomplished I want to create an alert for ten threat events with the same name within 24 hours and another alert when the same machine gets 10 events within 24 hours. I know I can do this with something like: |where match(message,"Spyware") |transaction | search eventcount>=20 Keep in mind...I was trying this on the line above and apparently, you cannot use transaction command with eval commands? Any help would be appreciated! ... View more