Hi,
im currently in the process of building parser extension to pull an ip address from a palo alto fw log
i have in the raw log "From: x.x.x.x" that specifies the source ip - but it doesnt get parsed to Principal.ip UDM field.
when i change the field to "principal.artifact.ip" it does work.
is there a way to pull a value to "principal.ip"? or is it somehow blocked for parser extensions?
Yes you can parse into principal.ip from a parser extension. Without seeing your error message from the parser I can't be sure, but you are probably running into the differences between regular string fields (like principal.artifact.ip) and repeat fields (like principal.ip)
To properly write repeat fields they need to be saved as an array instead of a string, even if the array will only contain a single value. You do this with a `merge` instead of a `replace` when assigning the value to the UDM path in the parser.
There's an example of this with the syntax here: https://cloud.google.com/chronicle/docs/event-processing/parsing-overview#store_the_target_ip_address_and_source_ip_address_using_the_merge_statement
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.