Tanium 148 - [GIS:-Startup-Programs@017472
Tanium 148 - [WEC:-Subscription-Manager-Setting@017472
Tanium 148 - [GIS:-Trace-Executed-Processes---Powershell@017472
Tanium 148 - [GIS:-Scheduled-Task-Information@017472
Tried below grok but GIS is changing
%{DATA:Field} - [GIS:-%{GREEDYDATA:GIS}
After fixing this you should anchor the start of your grok pattern as it is a regular expression under the hood.
Read this blog post
So because it is a regular expression you can put in a pattern for the varying section.
%{DATA:Field} - [%{DATA:message_type}:-%{GREEDYDATA:GIS}
If you don't want the lines with WEC in the message_type then you can add a conditional section with the drop filter.
if not message_type == "GIS" {
drop {}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.