You might like to look into parser chaining for this: https://metron.apache.org/current-book/metron-platform/metron-parsers/ParserChaining.html
Simon > On 20 Feb 2019, at 16:47, Farrukh Naveed Anjum <[email protected]> > wrote: > > Yes, I am using BRO Parser, Can I sub divide the message field > >> On Wed, Feb 20, 2019 at 7:39 PM Otto Fowler <[email protected]> wrote: >> Can you print what the fields are after parsing? These are the fields that >> you will be able to use Stellar on, to possibly extract your info. >> Are you using the Bro parser? >> >> >>> On February 20, 2019 at 02:14:17, Farrukh Naveed Anjum >>> ([email protected]) wrote: >>> >>> Hi, >>> I wanted to know how can I define and extract a field in parser from >>> messages. With If It Exists like option >>> >>> For example. I am using Bro Syslog. Following is a sample data >>> >>> >>> SYSLOG | severity:ERR uid:C5oe7F5SYMWqfVKKj id.orig_p:514 >>> id.resp_p:514 proto:udp id.orig_h:10.2.2.1 message:Feb 20 12:11:18 >>> suricata[72950]: [1:2000538:8] ET SCAN NMAP -sA (1) >>> [Classification: >>> Attempted Information Leak] [Priority: 2] {TCP} 74.125.133.189:443 -> >>> 10.2.2.202:52012 facility:LOCAL5 >>> ts:1550646678.442785 id.resp_h:172.16.4.18 >>> >>> From Message Field, I want to extract Classification, Priority and TCP From >>> -> To IPs. >>> >>> Can I make some kind of configurations in Bro Parser to get this >>> information Back As >>> >>> Classification <String> >>> Priority <String> >>> TCP From <IP> >>> TCP To <IP> >>> >>> Any guidance will be great help. >>> >>> >>> >>> >>> >>> -- >>> With Regards >>> Farrukh Naveed Anjum > > > -- > With Regards > Farrukh Naveed Anjum
