I have a field that contains the following data
"REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-949-BLOCKING-EVALUATION, RESPONSE-980-CORRELATION
And I want to return the first item only ie: (REQUEST-941-APPLICATION-ATTACK-XSS), but when i use this grok filter
grok
{
match => {"attack_names" => "(?<attack>^[A-Z1-9-]+)"}
remove_field => ["attack_names"]
}
it return all occurrences
"REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-949-BLOCKING-EVALUATION, RESPONSE-980-CORRELATION
So, I tried this ruby code:
ruby
{
code => "
saveid = event.get('attack_names').split(',')[0]
event.set('attack',saveid)
"
}
but this dosen't seem to do anything and the field isn't added to the data.
So, what I'm doing wrong here?