Hi All,
We have endpoint logs by default logs are in JSON format field which are auto extracted however we have two field name Protocol(tcp,udp etc) and RemotePort(443,8080 ,53 etc) . Actually we want dest_port=Protocol/RemotePort Example output tcp/443.
Sample log
{"ConfigBuild":"1000.1.0006507.1","ConfigStateHash":"118807017","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"124283148110857432","ContextTimeStamp":"1122143620.880","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"10.0.0.34","LocalPort":"52022","Protocol":"6","RemoteAddressIP4":"10.0.0.1","RemotePort":"443","aid":"a50f3aab996345f46510ec2f4c12b399","aip":"13.70.190.121","cid":"07b2sf7ss17147df10j15ggb6d7010tc","event_platform":"Win","event_simpleName":"NetworkConnectIP4","id":"ac8b80b5-4s36-10f8-000c-061014bed5be","name":"NetworkConnectIP4V5","timestamp":"1525175921212"}
Can we use existing extracted fields which are Protocol and RemotePort somehow map with desired field which is dest_port=Protocol/RemotePort or kindly help me to extract the field value.
Thanks in advance
... View more