Project

General

Profile

FAQ » History » Version 3

« Previous - Version 3/5 (diff) - Next » - Current version
Luke Murphey, 10/29/2015 06:05 PM


FAQ

Can I specify more than one selector (to match different things on a single page)

Yes, enter multiple selectors separated by commas. To match both span and div tags, you would enter a selector of "span,div".

Can I use attributes to set the field names?

You can use the "Name Attributes" option on the Output section to tell the app to use attribute values as the field name.

For example, consider the following HTML:

<div id="model">Focus</div>
<div name="submodel">ST</div>
<div name="make" id="car">Ford</div>

Assuming you have the CSS selector set such that it matches all "div" tags, you would get the following output:

match=Focus match=ST match=Ford

The matches do not distinguish which div tag was set (cannot tell which field is the model, submodel or make). If the setting of the name attributes is "name", then the app would look for the "name" attribute and use that as the name. This results in:

match=Focus submodel=ST make=Ford

You can use multiple names too. In the example above, it makes sense to use "id" too. This can be done by setting the name attributes to "name,id", This would cause the following output with the example above:

model=Focus submodel=ST make=Ford

Now, the fields have names that distinguish what they are.

Note that it uses the first match it finds. That means it will look for "name" first and then "id" when the setting is "name,id".

I changed the sourcetype and now the match field is no longer a multi-value field; what do I do?

You can use rex to parse out the content into a field of your choice. In the example below, the matches are being parsed into a field called "file".

sourcetype="downloads" | rex field=_raw "match=(?<file>[.a-zA-Z0-9_]+)" max_match=50 | mvexpand file