Forum Discussion
Editing Custom Fields for syslog message extraction
Hi,
I am currently creating new custom fields to extract the data from a syslog data source. Having initially setup the three fields I need I've now found a set of messages that do not parse correctly. How can I update the Wizard for the custom field to include this new extraction? Right now the only option I can see is to delete the custom field and start again. This is going to cause me all sorts of problems if we need to check every single possible message from a data source before we create a custom field.
Or, alternatively am I just missing something and there is a much easier way to do this?
Normally we do any parsing at query time. The use of custom fields has dropped off in the past few years.
You can either parse, regex or extract in the query or create a parser, like the one shown in the recent Teams article https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p/1265761
2 Replies
Normally we do any parsing at query time. The use of custom fields has dropped off in the past few years.
You can either parse, regex or extract in the query or create a parser, like the one shown in the recent Teams article https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p/1265761
