Create Field in windows for workstation name

juancamiloll · May 16, 2025, 7:03pm

Hello,

I am currently performing a task to extract the fields related to the NTLM protocol to determine if this protocol is being used in my network.

With the security, system and application logs that are collected from windows with elastic agent I already filter according to the information I need.

What brings me to the forum today is that I realize that there is a field called “message” and another “event.original” and I realize that the field “workstation_name” is not within the available fields.

After reading a bit I found that you can add new fields and extract them through regular expressions but I have not been able to get it to work.

if (params._source.containsKey('event.original')) {
  def m = /Workstation Name:\s*([^\r\n]+)/.matcher(params._source['event.original']);
  if (m.find()) {
    emit(m.group(1));
  }
}

stephenb · May 16, 2025, 8:47pm

Hi @juancamiloll Welcome to the community.

Its probably better idea to use an ingest pipeline to extract the field than a runtime field in the data view

Can you provide a sample document in JSon from discover with event.original and and perhaps we can help. Provide the whole document as it will provide other information to help. You can anonymize sensitive fields.

Also exactly what version of the elastic stack and which integration

Topic		Replies	Views
Extracting fields from existing message field in windows logs Logstash	4	531	January 11, 2022
Runtime field kibana Elasticsearch runtime-fields	2	789	March 1, 2023
Extracting substring from a field Kibana runtime	5	488	July 7, 2024
Extract fields from multiline message Kibana	10	3302	November 21, 2019
Extract fields from syslog "message" part for visualization in Kibana Logstash	4	1993	April 19, 2018

Create Field in windows for workstation name

Related topics