SOLVED

Editing Custom Fields for syslog message extraction

%3CLINGO-SUB%20id%3D%22lingo-sub-1382190%22%20slang%3D%22en-US%22%3EEditing%20Custom%20Fields%20for%20syslog%20message%20extraction%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382190%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20currently%20creating%20new%20custom%20fields%20to%20extract%20the%20data%20from%20a%20syslog%20data%20source.%20Having%20initially%20setup%20the%20three%20fields%20I%20need%20I've%20now%20found%20a%20set%20of%20messages%20that%20do%20not%20parse%20correctly.%20How%20can%20I%20update%20the%20Wizard%20for%20the%20custom%20field%20to%20include%20this%20new%20extraction%3F%20Right%20now%20the%20only%20option%20I%20can%20see%20is%20to%20delete%20the%20custom%20field%20and%20start%20again.%20This%20is%20going%20to%20cause%20me%20all%20sorts%20of%20problems%20if%20we%20need%20to%20check%20every%20single%20possible%20message%20from%20a%20data%20source%20before%20we%20create%20a%20custom%20field.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%2C%20alternatively%20am%20I%20just%20missing%20something%20and%20there%20is%20a%20much%20easier%20way%20to%20do%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1382190%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECustom%20Logs%20and%20Custom%20Fields%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1383435%22%20slang%3D%22en-US%22%3ERe%3A%20Editing%20Custom%20Fields%20for%20syslog%20message%20extraction%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383435%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255877%22%20target%3D%22_blank%22%3E%40SimonR%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENormally%20we%20do%20any%20parsing%20at%20query%20time.%26nbsp%3B%20The%20use%20of%20custom%20fields%20has%20dropped%20off%20in%20the%20past%20few%20years.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20either%20parse%2C%20regex%20or%20extract%20in%20the%20query%20or%20create%20a%20parser%2C%20like%20the%20one%20shown%20in%20the%20recent%20Teams%20article%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fprotecting-your-teams-with-azure-sentinel%2Fba-p%2F1265761%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fprotecting-your-teams-with-azure-sentinel%2Fba-p%2F1265761%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1386858%22%20slang%3D%22en-US%22%3ERe%3A%20Editing%20Custom%20Fields%20for%20syslog%20message%20extraction%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1386858%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3Bguess%20I'm%20going%20back%20to%20regex%20after%20all%20%3Aface_with_tears_of_joy%3A.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

I am currently creating new custom fields to extract the data from a syslog data source. Having initially setup the three fields I need I've now found a set of messages that do not parse correctly. How can I update the Wizard for the custom field to include this new extraction? Right now the only option I can see is to delete the custom field and start again. This is going to cause me all sorts of problems if we need to check every single possible message from a data source before we create a custom field.

 

Or, alternatively am I just missing something and there is a much easier way to do this?

2 Replies
best response confirmed by SimonR (Occasional Contributor)
Solution

@SimonR 

 

Normally we do any parsing at query time.  The use of custom fields has dropped off in the past few years. 

You can either parse, regex or extract in the query or create a parser, like the one shown in the recent Teams article https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p...

 

 

Thanks @Clive Watson guess I'm going back to regex after all :face_with_tears_of_joy:.