Extract mode
Use regular expressions to extract text from fields in incoming events.
Features
Specify one or more Ruby compatible↗ regular expressions to match and extract text from incoming events.
Any matched text will be included in an array in a new event. If there are no matches, no event will be emitted by default.
Specify the name of the key for each array of matched text.
Configuration Options
mode: 'Extract'matchers: When using 'Extract' mode, define an array of regular expression configuration blocks to match text in incoming events:path: Specify the wrapped JSON path for the field containing text to extract.regexp: Specify the regular expression to be used to extract text.to: Specify the name of the field to contain the array of matches.emit_no_match: (Optional) By settingemit_no_matchtotruean event will also be emitted if the regular expression does not match.
Emitted Events
{
"email_addresses": ["alice@example.com"],
"ips": ["10.1.1.12"],
"urls": ["http://example.com", "https://tines.com"]
}Example Configuration Options
Given the incoming event below, extract all email addresses and store them in a field called 'email_addresses' in a new Event.
{
"text": "You received to email to alice@example.com sent from bob@example.com"
}{
"mode": "extract",
"matchers": [
{
"path": "<<text>>",
"regexp": "\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,4}\\b",
"to": "email_addresses"
}
]
}Given the incoming event below, extract all email addresses from 'text' store them in a field called 'email_addresses'; extract all URLs from 'referrers' and store them in a field called 'urls'; and extract all IP addresses from 'servers' and store them in a field called 'ips'.
{
"text": "You received to email to alice@example.com sent from bob@example.com",
"metadata": {
"servers": "10.1.1.1, 10.2.3.4, 10.15.6.8",
"referrers": "https://tines.com and https://www.example.com"
}
}{
"mode": "extract",
"matchers": [
{
"path": "<<text>>",
"regexp": "\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,4}\\b",
"to": "email_addresses"
},
{
"path": "<<metadata.referrers>>",
"regexp": "https?:\\/\\/[\\S]+",
"to": "urls"
},
{
"path": "<<metadata.servers>>",
"regexp": "\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b",
"to": "ip_addresses"
}
],
"message": "Email addresses taken from text, Urls from referrers and IPs from servers."
}