My Runtime Script is not returning a value

jreyes25 · March 7, 2023, 5:30pm

Hello,

I have created a runtime field named "user". My goal is to extract the username (user=Bob) from a 'event.original' mapping which looks like this:

  "event.original": [
    "Mar 7 10:17:44 Bob gdm-password][1545478]: "pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=Bob"

The code I entered for 'Set Value' is:

String user=grok('%GREEDYDATA:leading_data)/user=%
        {DATA:user}\'').extract(params._source.event.original)?.user;
if (user != null) emit(user);

I used the code I found from another forum on a similar problem and replaced it with what I thought would work. The code didn't error out, but it's not giving the result I need (i.e. user = Bob). The result is just a blank field.

Could someone help on where I went wrong in the script? Thank you.

jreyes25 · March 20, 2023, 8:33pm

I figured it out. If anyone runs into the same situation, I used the following script to pull the username from an event.original field.

String username=grok('user=%{USERNAME:username}').extract(params._source.event.original)?.username;
if (username != null) emit(username);

system · April 17, 2023, 8:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.