Skip to main content

Responses are generated using AI and may contain mistakes.

Exabeam SearchExabeam Search Guide

Dynamic Field Extraction

To address immediate search needs on data that has not been parsed, you can define a parsed field from the Search query. This will parse fields that might have been missed at the parsing stage, without having to first define a new parser.

To perform a dynamic field extraction, use Exabeam advanced query language with an RGX_EXTRACT function inside of a SELECT clause, like the following:

SELECT RGX_EXTRACT( [fieldName,] [regexp_pattern] ) [alias_expression]

where:

  • fieldName – Source field name value from which the field is extracted. If omitted, the extraction uses the raw log message.

  • regexp_pattern – Regex expression to extract field value

  • alias_expression – Target field name for extracted values

Note

Parameters

  • RGX_EXTRACT only works for string data types.

  • The reserved keywords (SELECT, RGX_EXTRACT, AS, WHERE) can be either all lowercase or all uppercase.

  • You cannot use an existing field as a dynamic parsed field.

  • You can enter up to three RGX_EXTRACT expressions at a time.

  • RGX_EXTRACT does not support the Aggregations feature available in the search results toolbar. However, when creating your search, you can leverage advanced query language syntax to produce an aggregation table. See the example below in RGX_EXTRACT Query with Aggregation.

The following functionality is not supported for dynamically parsed fields:

  • These fields will not appear in the Field Summary panel.

  • The Convert to Rule functionality is disabled when using dynamic field extraction.

Sample RGX_EXTRACT Query

The following is a sample query that uses the RGX_EXTRACT function in a SELECT clause:

SELECT *, RGX_EXTRACT("\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}") AS Logon_GUID WHERE vendor ="Microsoft" AND activity_type="login"

This sample query searches the raw logs for login events where the vendor is Microsoft and a specific value is present in an unparsed Logon GUID field. It extracts the value of this field and parses it as a field labeled Logon_GUID.

Note

The sample query above will return results for login events that were ingested in a native JSON format.

When a value is successfully parsed using dynamic field extraction, the dynamic parsed fields will be displayed in the search results, and on the Event tab of the Details panel, as shown in the images below. Dynamic parsed fields will appear in Timeline view, List view, or Table view, regardless of what field template is selected.

rgx-extract-results.png
rgx-extract-details.png

RGX_EXTRACT Query with Aggregation

Dynamically parsed fields do not support the Aggregations feature available in the search results toolbar. However, when you create your search, you can use the GROUP-BY advanced query language operator, in combination with aggregation query functions, to produce an aggregated table. In the following example, the COUNT(*) function has been added to the query after the RGX_EXTRACT clause, and the GROUP-BY clause has been added to the end:

SELECT RGX_EXTRACT("\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}") AS Logon_GUID, count(*) AS GUID_count WHERE vendor ="Microsoft" AND activity_type="login" AND NOT Logon_GUID=NULL GROUP-BY Logon_GUID

This query produces search results in a table view that shows counts for the extracted field values, as shown in the image below. For more information about using these advanced query language features, see GROUP-BY and Query Using Aggregation Functions

extracted-aggregated.png