Hi!
I have Grafana v 7.5.7 and I 'm trying to extract some content from my data.
My goal is to take a part from the message from snort’s alert.
I created event.original as my own variable to collect data from elasticsearch and now I can see my logs.
My regex /([a-zA-Z\a].)/ it works from my variable’s section, as you can see in the below picture.
These values are store by a variable called snort made by me from Grafana.
However, my issue is that I need extract the part of the message INDICATOR-SCAN SSH brute force login attempt and SSH detected in my dashboard from the Query’s section from Grafana.
In Summary.
What I have at this moment:
- 05/27-11:30:12.466603 [ ] [1:19559:13] “INDICATOR-SCAN SSH brute force login attempt” [ ] [Classification: Misc activity] [Priority: 3] {TCP} x.x.x.x:53962 → x.x.x.x:xx
What I need:
INDICATOR-SCAN SSH brute force login attempt
I hope anybody can help me