Extensions

An Extension is a formatting pattern used to generate the human-readable form of several values in the notification event that is routed to an Output. These Extensions are used by the Modern, LEEF, and JSON formats (they do not affect the legacy formats). Extensions are placed into the syslog output event in the form “name=value”. A single space always precedes the “name=” phrase.

At the Event Description level, the Extension field defines the default Extensions. Additional Extensions can be added for individual Subtypes and Rules defined within the Event Description, for example, those specified in the Add Extension field of the respective Create Event Subtype panel and Create Rule panel.

Extensions do not stand alone; they must be attached to other entities. These entities are arranged in a hierarchical fashion; same-named Extensions at higher levels “appends” those at lower levels.

Hierarchy (1 is lowest level):

  1. Event Source
  2. Event Description
  3. Event Subtype
  4. Rule

Replaceable fields in the formatting string will be replaced with the value of the field from the Event data at the time the event is captured and processed. Further, the values of fields can themselves be further transformed to other values by Substitutions.

Available functions: %extract, %int, %substr, %subst, %sst, %len, %length, %ltrim, %triml, %rtrim, %trimr and %trim.

The %extract arguments that are available are:

Date Values Time Values
EPOCH HOUR
MILLENNIUM HOURS
MILLENNIUMS MINUTE
CENTURY MINUTES
CENTURIES SECOND
DECADE SECONDS
DECADES MILLISECOND
YEAR

MILLISECONDS

YEARS MICROSECOND
QUARTER MICROSECONDS
MONTH  
WEEK  
DAY  
DAYS  
DOW  
DOY  
NOTE: %extract function is:
  • Not currently available for *TIMESTAMP in Event Source type of *SYSMSG.
  • Available on OS 7.4, 7.3 with TR5, and 7.2 with TR9.

Function names are not case sensitive. Character fields must be enclosed in single quotes.

EXAMPLE:
%trimr(%substr('&CAUNAM&',1,5))

EXAMPLE:
%extract(EPOCH from '&*TIMESTAMP&')

In the output, extensions appear sorted by level first, then alphabetically by the name of the extension.

EXAMPLE: If you have extensions on Entry Type TPW, and some more on entry Subtype P, and then on a Rule:
 
TPW: a=&FLD1&, b=&FLD2&, c=&FLD3&
P: a=&FLDX&, b=&FLDY&
Rule A: a=&FLDn&
 

They appear in the output as: a=1 b=2 c=3 a=X b=Y a=n

Including message variables

The value of message variables (message fields) can be used in Extensions. For example, if a CPF1234 message is sent, and includes a message variable, the value of that message variable can be included in an Extension.

To do this, specify the field on the Value line of the Create Extension panel as follows:

&[number of message field]

For example, for message field #1:

&1