QUESTION

I have created a custom schema and a custom log source to ingest logs. My schema includes a field called new_IPAddress which either includes one IP address or multiple IP addresses. For example, it might get the following types of values:

How can I cover this behavior using the split transformation and ensuring that all the values of the field will be ingested as expected?

ANSWER

While we don’t offer a direct solution for this at the moment, there is a handy workaround that can assist in this situation.

The workaround solution is to use the split directive and apply it to as many fields as necessary to capture all the IP addresses. There is no limit to the number of split fields that can be used, so, you could add more split fields to your schemas to ensure that all the IP addresses are captured. In addition, no issues will occur if only a single IP is contained in the new_IPAddress field, while there are multiple split fields. In this case, the remaining fields will remain null.

Below you can find an example of how split can be used for the case when the new_IPAddress field contains two values (e.g. "1.1.1.1, 2.2.2.2") but, as mentioned above, this can be expanded in a similar way, to include more IP values:

- name: new_IPAddress
      required: true
      type: string
      indicators:
        - ip
    - name: new_IPAddress1
      type: string
      indicators:
        - ip
      split:
        from: new_IPAddress
        separator: ","
        index: 0
    - name: new_IPAddress2
      type: string
      indicators:
        - ip
      split:
        from: new_IPAddress
        separator: ","
        index: 1