extract

The extract command is used to extract new fields from existing ones using named capture groups in a regular expression.

Syntax

The extract command accepts multiple argumets in the following format:

field=/(?<new_field>.+)/

With the example above, the extract command will run the regular expression /(?<new_field>.+)/ on each value of the field field. If a match is found, it will either create or append the match to the new_field field.

Example

For an example ssh login event where the message field contains the following:

Accepted password for user from 192.168.0.10 port 60782 ssh2

The following command will extract authentication method, the username and the source IP address into new fields:

| extract message=/^\w+\s(?<auth_method>\w+)\s\w+\s(?<user>\w+)\s\w+\s(?<remote>[^\s]+)/