Extensions
An Extension is a formatting pattern used to generate the human-readable form of several values in the notification event that is routed to an Output. These Extensions are used by the Modern, LEEF, and JSON formats (they do not affect the legacy formats). Extensions are placed into the syslog output event in the form “name=value”. A single space always precedes the “name=” phrase.
At the Event Description level, the Extension field defines the default Extensions. Additional Extensions can be added for individual Subtypes and Rules defined within the Event Description, for example, those specified in the Add Extension field of the respective Create Event Subtype panel and Create Rule panel.
Extensions do not stand alone; they must be attached to other entities. These entities are arranged in a hierarchical fashion; same-named Extensions at higher levels “appends” those at lower levels.
Hierarchy (1 is lowest level):
- Event Source
- Event Description
- Event Subtype
- Rule
Replaceable fields in the formatting string will be replaced with the value of the field from the Event data at the time the event is captured and processed. Further, the values of fields can themselves be further transformed to other values by Substitutions.
Available functions: %extract, %int, %substr, %subst, %sst, %len, %length, %ltrim, %triml, %rtrim, %trimr and %trim.
The %extract arguments that are available are:
Date Values | Time Values |
---|---|
EPOCH | HOUR |
MILLENNIUM | HOURS |
MILLENNIUMS | MINUTE |
CENTURY | MINUTES |
CENTURIES | SECOND |
DECADE | SECONDS |
DECADES | MILLISECOND |
YEAR |
MILLISECONDS |
YEARS | MICROSECOND |
QUARTER | MICROSECONDS |
MONTH | |
WEEK | |
DAY | |
DAYS | |
DOW | |
DOY |
%extract
function is: - Not currently available for *TIMESTAMP in Event Source type of *SYSMSG.
- Available on OS 7.4, 7.3 with TR5, and 7.2 with TR9.
Function names are not case sensitive. Character fields must be enclosed in single quotes.
%trimr(%substr('&CAUNAM&',1,5))
%extract(EPOCH from '&*TIMESTAMP&')
They appear in the output as: a=1 b=2 c=3 a=X b=Y a=n
Including message variables
The value of message variables (message fields) can be used in Extensions. For example, if a CPF1234 message is sent, and includes a message variable, the value of that message variable can be included in an Extension.
To do this, specify the field on the Value line of the Create Extension panel as follows:
&[number of message field]
For example, for message field #1:
&1