Hi Community,
I'm trying to figure out how to get the signature and signature id to their own fields. This has been a tricky one for me. Here is part of the _raw event:
|Trend Micro|Deep Security Agent|0.0.0000|0|Invalid Traversal|
|Trend Micro|Deep Security Agent|0.0.0000|0000000|SSL Request|
After Deep Security Agent, there is the agent version. After the agent version is the signature ID, then finally the signature. The signature ID seems to range from a single digit number to 7 digits.
I'd like to be able to get the after everything after the agent version "\d.\d.\d{0,4}" and the pipe to end on the last character of the signature before the other pipe while also breaking up the signature ID field and signature field.
Any help would be great and much appreciated.
↧