My events are as below: Mon Nov 23 09:21:57 2020 6 10.0.0.3 3783 /root/A/P2/source1/POL.IDM b s i r kumar ssh 0 *
Mon Nov 23 09:21:58 2020 5 10.0.0.4 3783 /root/A/P2/.stfs/objects/8a/32bcb75c884c00175c989636000ba/b14fbda4-6857-4910-9a74-9789b6165b7f/52925c56-3ae2-4f75-bb3a-97622e9223b0/8a332bcb75c884c00175c989751500c3/POL.IDM b n o r kumar ssh 0 *
Mon Nov 23 09:15:25 2020 7 10.0.0.2 68 /root/A/P1/.stfs/objects/8a/325cc74705abd017472f907ce0155/12763075-66b1-4a1b-b080-0c5d0a5a0c11/d8c5486a-57ab-4798-a8cc-2bf45f3b975b/8a3325cc74705abd017472f9bbc701c7/WEB.dat a s o p ftp 0 * If i extract the fields i need the below.: event1 field values in RED, event 2 field values in PINK, event 3 field values in BLUE current_time=Mon Nov 23 09:21:57 2020, Mon Nov 23 09:21:58 2020, Mon Nov 23 09:15:25 2020 transfer_time=6, 5, 7 remote_host=10.0.0.3, 10.0.0.4, 10.0.0.2 file_size=3783, 3783, 68 file_path= /root/A/P2/source1/POL.IDM, /root/A/P2/.stfs/objects/8a/32bcb75c884c00175c989636000ba/b14fbda4-6857-4910-9a74-9789b6165b7f/52925c56-3ae2-4f75-bb3a-97622e9223b0/8a332bcb75c884c00175c989751500c3/POL.IDM, /root/A/P1/.stfs/objects/8a/325cc74705abd017472f907ce0155/12763075-66b1-4a1b-b080-0c5d0a5a0c11/d8c5486a-57ab-4798-a8cc-2bf45f3b975b/8a3325cc74705abd017472f9bbc701c7/WEB.dat -> Few extracts on this field file_path with / as delimiter: --> This i don't know how to handle 3rd index extracted as account=P2, P2, P3 last index extracted as file_name= POL.IDM, POL.IDM, WEB.dat last but one index (if start with starts with 8a) extracted as route_id = <null, empty>, <null, empty>, 8a3325cc74705abd017472f9bbc701c7 transfer_mode=b, b, a transfer_security=s, n, s transfer_status=i, o, o access_mode=r, r, p user_name=kumar, kumar, <null,empty> --> This i don't know how to handle protocol=ssh, ssh, ftp Can you please help on Field extractions /Search query for this? Thank you
... View more