i am using parser function in extract mode for a key value pair data source. What I noticed is that, some of the events have two values for the same field `rule_uid = "1234556" | rule_uid = "78938794"` . Cribl seem to be keeping the second value for rule_uid field. What is a right way to preseve both the values for a field? I wonder if parser is the right choice for this.
Page 1 / 1
Parser keeps the last value found
okay, let me try that
You could use Regex which would extract an array of matches.
Thank you David
<@U01C35EMQ01> were you suggesting to use Type = Regular expression in the parser function?
No, using the Regular Expression Function
ok
We have name value support to auto create keys from the values.
i was testing out the regular expression Type in parser and that seem to be working out as well
There is no RegEx type I am aware of in the Parser Function?
If you are referring to JSON, then you will also lose key values as you saw when the key is the same.
0
i was talking about this
Ah, that is the new 4.1 enhancement to Parser right?
It is basically the Regex Function inside the Parser function right?
Not sure when this was released, very useful though!
Did you still need help with that?
yea, looks like that way
I am good now. Thanks for your help!
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.