.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to Parse dynamic field with random ipaddress/hostname to different meta keys
Issue
Event Source sends below logs, and the highlighted field gets ipaddress/hostname randomly.%HANADB-4: ZepmAudLogs 00000000004501688483#RFC Call#AU#000#2020-08-01#1#0#issttftttt4_ECP_64#10.10.10.10#SAPMSSY1#L#Successful RFC call SALC_PERF_READ_SMOOTH_DATA (function group = SALC)#K#038#D###15:58:35#SAP_SYSTEM#400#SALC##SALC_PERF_READ_SMOOTH_DATA##Low#
%HANADB-4: ZepmAudLogs 00000000004501688488#RFC Call#AU#400#2020-08-01#1#0#ishdhdhdhdh4_ECP_64#isvsappopa2.ad.infos#SAPMSSY1#L#Successful RFC call SYSTEM_RESET_RFC_SERVER (function group = SYSU)#K#034#D###15:58:59#POALCONUSER#400#SYSU##SYSTEM_RESET_RFC_SERVER##Low#
Tasks
The highlighted field to be parsed to ip.src when IPaddress appears in log and to be parsed to host.src when hostname appears in log.
Resolution
Please follow below steps to Parse them separately like ip.src=10.10.10.10 and host.src= isvsappopa2.ad.infosPlease capture the source variable (coming ipaddress/hostname) in saddr variable (which maps to ip.src meta).
Note: If instead of ip address log has source hostname, it will be automatically be collected in host.src because of the failure key definition in table-map.xml as below.
<mapping envisionName="saddr" nwName="ip.src" flags="None" format="IPv4" failureKey="ipv6.src" failureMapping="saddr_v6" nullTokens="(null)|-"/>
<mapping envisionName="saddr_v6" nwName="ipv6.src" flags="None" format="IPv6" failureKey="host.src" failureMapping="shost" nullTokens="(null)|-"/>
<mapping envisionName="shost" nwName="host.src" flags="None" format="Text"/>
Product Details
RSA Product Set: RSA NetWitness PlatformRSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
Summary
This document outlines the procedure to parse ipaddress/hostname to different meta keys when value randomly changing.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue