I have an analyst that was playing around trying to extract a new field. Unfortunately, he used the delimiter function and instead of backing out of it, he saved it. So on top of the normal fields being parsed out, I have over 60 fields called field1, field2, field3, etc. How can I go about removing these? Also, a second part to this question, I have bro_http logs coming in and the contain a "version" field. This field is not being parsed out, instead, everything being parsed out has shifted to the left by one field (i.e. instead of version being 1.1, the version is showing the user_agent information, which should be in the user_agent field one field to the right)? What file can I update to ensure it is parsing out the version?
... View more