I would like to take the following lines in my props.conf file, and at Search Time, use these Field Extractions to Set a fixed value for a new field depending on the rule that it hits:
[safenet_datasecure]
EXTRACT-datasecure0 = Web login failure\: Invalid username\/password in login attempt for administrator \"(?<ing_user>[a-zA-Z0-9]+)\" from (?<ing_clientip>[0-9]+.[0-9]+.[0-9]+.[0-9]+)
EXTRACT-datasecure1 = Login attempted with invalid username \"(?<ing_user>[a-zA-Z0-9]+)\"
So I get a field like ing_rule=0 or ing__rule=1 depending on if it used datasecure0 or datasecure1 to extract the field from the event.
Anyone?