This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Use parser extension to remove field mapping

Posted on 12-14-2023 06:42 AM
lukas-lr
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi everyone,

Is there a way to delete a field value by using a parser extension? I want to "move" a value from one UDM field to the other, leaving the UDM field used by the default parser empty. However, I could not find an explicit way to set it to null or empty, such that the value set by the default parser is removed from the UDM event.

Solved Solved
0 3 549
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

You can't remove a mapping from the default parser is my understanding of using Parser Extensions.

You can write a GROK extension to take the original value from the raw log into a new UDM field, but if you add a value as empty then the original UDM value will be used.

I think this would be a FR for Parser Extensions to support this, or else an update to the default parser via support.

View solution in original post

Jump to Solution
3 REPLIES 3
Top Solution Authors
View all