Hi,
Is there a way how to parse multiple values if the key has always the same name?
For example from the log for Checkpoint content awareness, where is multiple fname= keys.
I am able to create custom property with regex which parse all of these in one take, but I would like to have them separated so Qradar can work with each of them separately.
LOG:
LEEF:2.0|Check Point|Content Awareness|1.0|Accept|devTime=2589654136 proto=HTTP usrName=John Doe (jdoe) cat=Content Awareness fname=concrt140_app.dll fname=msvcp140_1_app.dll fname=msvcp140_2_app.dll fname=msvcp140_app.dll fname=msvcp140_atomic_wait_app.dll fname=msvcp140_codecvt_ids_app.dll fname=vcamp140_app.dll fname=vccorlib140_app.dll fname=vcomp140_app.dll fname=vcruntime140_app.dll file_type=Executable
Regards
T
------------------------------
tysa
------------------------------