Sumo Logic allows you to parse on previously extracted fields, or initial parsing on a metadata field value (_collector, _source, etc..) using the additional parse syntax of
parse field=<field_name> "start_anchor*stop_anchor" as
parse regex field=<field_name> " start expression(?<fieldname>field expression) stop expression"
Sample log message:
Aug 2 04:06:08: host=10.1.1.124: local/ssl2 notice mcpd: Useremail@example.com: severity=warning: 01070638:5: Pool member 172.31.51.22:0 monitor status down.
First we'll use a parse statement such as the following to get the User from the log message, which will return a field called
user_email with a value of
parse "User=*:" as user_email
Now that we have this field, we want to additionally parse out just the name and domain from the email address. We can do this by adding the additional syntax of
fields=<field_name> to a follow-up parse operation:
parse "User=*:" as user_email | parse field=user_email "*@*" as user_name, domain
The result of the above query would be:
fields=<field_name> syntax is not just limited to fields that have been specifically parsed from the logs. This syntax can also be used to parse the predefined metadata fields such as _collector, _source, _sourceName, etc. For example, if we have a long list of Collectors all with the same naming format of HostName_10.10.10.1 we can parse this metadata field value to just get the IP address.
parse field=_collector "HostName_*" as host_ip