cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Editing Custom Fields for syslog message extraction

SimonR
Contributor

‎May 12 2020 03:42 AM - last edited on ‎Apr 08 2022 10:26 AM by

‎May 12 2020 03:42 AM - last edited on ‎Apr 08 2022 10:26 AM by

Editing Custom Fields for syslog message extraction

Hi,

 

I am currently creating new custom fields to extract the data from a syslog data source. Having initially setup the three fields I need I've now found a set of messages that do not parse correctly. How can I update the Wizard for the custom field to include this new extraction? Right now the only option I can see is to delete the custom field and start again. This is going to cause me all sorts of problems if we need to check every single possible message from a data source before we create a custom field.

 

Or, alternatively am I just missing something and there is a much easier way to do this?

2,431 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by SimonR (Contributor)
CliveWatson

‎May 12 2020 10:09 AM

‎May 12 2020 10:09 AM

Solution

Re: Editing Custom Fields for syslog message extraction

@SimonR 

 

Normally we do any parsing at query time.  The use of custom fields has dropped off in the past few years. 

You can either parse, regex or extract in the query or create a parser, like the one shown in the recent Teams article https://techcommunity.microsoft.com/t5/azure-sentinel/protecting-your-teams-with-azure-sentinel/ba-p...

 

 

0 Likes
Reply
SimonR

‎May 13 2020 08:34 AM

‎May 13 2020 08:34 AM

Re: Editing Custom Fields for syslog message extraction

Thanks @CliveWatson guess I'm going back to regex after all :face_with_tears_of_joy:.

 

 

0 Likes
Reply