I have just started ingesting 0365 audit logs, and I have come across the following field:
that I would like to parse out to several fields (as it contains comma seperated values) in my ingest pipeline.
I know that I could do this by writing some grok patterns, but as there is also a field called
which will always correspond to the above mentioned value field I was wondering if there was an easy way to combine the keys and values of these fields, and then parse them out to individual fields from there.
Here is an example of the two existing fields:
o365.audit.ExtraProperties.key: TimeZone, OsName, OsVersion, Country, ClientName, ClientVersion, ClientUtcOffsetSecond
o365.audit.ExtraProperties.value: Asia/Saigon, windows, 10, us, skypeteams, 27/220.127.116.112113005, 25200
And what I would like is something like the following fields:
o365.audit.ExtraProperties.TimeZone: Asia/Saigon, o365.audit.ExtraProperties.OsName: windows, o365.audit.ExtraProperties.OsVersion: 10