Hi Stefan,
This isn't working because you are attempting to combine multiple captured values for a
custom property. We do allow multiple references to be combined together (along with literal characters, if desired) for standard properties, like Username, but it's not currently possible to do this with custom properties like AccountDomain. We are working on a product enhancement to allow for this in custom properties too, but it is not yet available.
FYI, this is what the document is referring to when it says this: "Within log source extensions, you can supply and combine together multiple JSON keypaths to give a single result; this convention
excludes custom properties"
Note that it is possible to combine multiple extraction property values together with a custom AQL property, if this is something you need to do.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
------------------------------
Original Message:
Sent: Wed May 27, 2020 11:30 AM
From: Stefan Haunß
Subject: json keypath expression not working in qradar 7.4.0
Hello all,
I'm trying to use the example from:
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_json_keypath.html
In the attached image one can see that the properties "first_name" and "last_name" are getting highlighted as described on IBM Knowledge Center.
However, by pressing the OK button it says: "The value entered is not a valid expression."
Any ideas? Suggestions?
Thank you,
Stefan
------------------------------
Stefan Haunß
------------------------------