I have created a custom schema and a custom log source to ingest logs. My schema includes a field called new_IPAddress
which either includes one IP address or multiple IP addresses. For example, it might get the following types of values:
"1.1.1.1"
"1.1.1.1,2.2.2.2"
How can I cover this behavior using the split transformation and ensuring that all the values of the field will be ingested as expected?
While we don’t offer a direct solution for this at the moment, there is a handy workaround that can assist in this situation.
The workaround solution is to use the split
directive and apply it to as many fields as necessary to capture all the IP addresses. There is no limit to the number of split fields that can be used, so, you could add more split fields to your schemas to ensure that all the IP addresses are captured. In addition, no issues will occur if only a single IP is contained in the new_IPAddress
field, while there are multiple split fields. In this case, the remaining fields will remain null.
Below you can find an example of how split
can be used for the case when the new_IPAddress
field contains two values (e.g. "1.1.1.1, 2.2.2.2"
) but, as mentioned above, this can be expanded in a similar way, to include more IP values:
- name: new_IPAddress
required: true
type: string
indicators:
- ip
- name: new_IPAddress1
type: string
indicators:
- ip
split:
from: new_IPAddress
separator: ","
index: 0
- name: new_IPAddress2
type: string
indicators:
- ip
split:
from: new_IPAddress
separator: ","
index: 1