This is related to another question, I'm still working on resolving. Until that is resolved though, I was wondering about using part of a field when making rules.
Specifically, for my Cisco syslogs, the EventInfo field shows the hostname followed by a bunch of other information. For example:
EventInfo: SWITCHNAME: Jul 20 12:45:16.756 UTC %FACILITY-SEVERITY-MNEMONIC: Message-text
What I want to do is use only the hostname portion in the Action box in Rule Creator. ...I know I can drag "EventInfo" to one of the $parameter fields, but how do I tell it to only use what is before the first colon (i.e. "SWITCHNAME")?
...in other programs I would use the substringAfter or substringBefore function to do this. Does such a thing exist in LEM?
Thank you!
