I'm trying to extract a field called **Item_Name** using the file props.conf on the search head. I'm currently using this in the props.conf file which isn't working:
EXTRACT-Item_Name = (?<=Item Name:).(.*?).(?=suid=)
I would like to extract all the texts between `Item Name` and `suid=` into a field called Item_Name.
Below is the events
2016-04-05T13:10:12+10:00 AFVWS05 CEF: 0|Thycotic Software|Secret Server|8.9.030008|10040|SECRET - PASSWORD_COPIED_TO_CLIPBOARD|2|msg=[SecretServer] Event: [Secret] Action: [Password Copied to Clipboard] By User: internal.local\\ddonald Item Name: Service Account for SCCM (System Center Configuration Manager) Container Name: Miscellany suid=14 suser=internal.local\\ddonald cs4=internal.local\\Donald, David cs4Label=suser Display Name src=24.1.0.5 rt=Apr 05 2016 03:10:09 fname=Service Account for SCCM (System Center Configuration Manager) fileType=Secret fileId=345 cs3Label=Folder cs3=Miscellany
Thanks
↧