Stream Processing: is it possible to access to a field position on StringInserts of winevtlog events

[canob]

Hi everyone,

A simple question about Stream Processing: is it possible to access to a field position on StringInserts of winevtlog events?
For example, my StringInserts is this one:
"StringInserts":["[email protected]","LAB.ARG","LABDC$","S-1-5-21-1212037701-3946723201-1981249032-1000","0x40810000","0x12","::1","0","0x0","{9EB2562B-0C64-3E18-8C08-D97E44D172C5}","-"]
And I'm trying to get [email protected] with a STREAM TASK like this one:

[STREAM_TASK]
    Name windows_krb_4769
    Exec CREATE STREAM windows_krb_4769 WITH (tag='windows_krb_4769') AS SELECT StringInserts.['0'] AS User_Name FROM TAG:'windows' WHERE EventID = 4769;

I tried with StringInserts.[0], StringInserts.[$0], StringInserts.0 and StringInserts.$0 with no luck too.
Anybody knows if there is a way to access to a value of a path that don't have field name, like StringInserts, with Stream Processing?

Thanks in advance four your help!

[koleini]

Hi @canob, unfortunately, this functionality is not currently supported in Stream Processor (it would be a valuable feature to include in future releases).

[canob]

Thanks @koleini for your answer.
I found that is even impossible to SELECT all the content of the field, for example with this STREAM TASK:

[STREAM_TASK]
    Name windows_krb_4769_si
    Exec CREATE STREAM windows_krb_4769_si WITH (tag='windows_krb_4769_si') AS SELECT StringInserts AS StringInserts FROM TAG:'windows' WHERE EventID = 4769;

With that STREAM TASK, I don't have any output at all in my file output, windows_krb_4769_si.
But with other field, like for example EventID, is working normally:

[STREAM_TASK]
    Name windows_krb_4769_si
    Exec CREATE STREAM windows_krb_4769_si WITH (tag='windows_krb_4769_si') AS SELECT EventID AS EventID FROM TAG:'windows' WHERE EventID = 4769;

The content of the file output, windows_krb_4769_si:
windows_krb_4769_si: [1691604225.905930757, {"EventID":4769,"tag":"windows_krb_4769_si"}]

Obtain StringInserts field is only possible with "SELECT *":

[STREAM_TASK]
    Name windows_krb_4769
    Exec CREATE STREAM windows_krb_4769 WITH (tag='windows_krb_4769') AS SELECT * FROM TAG:'windows' WHERE EventID = 4769;

I'm trying to do something as simple as parse the StringInserts array, to add a name to every field (the corresponding name from "Message" field), but I can't, because parsing on Message field is not working, and parsing on StringInserts is not working too, :(

Anybody tried something similar with success?

Thanks in advance for your help.

[canob]

I found that is even impossible to SELECT all the content of the field, for example with this STREAM TASK:

[STREAM_TASK]
    Name windows_krb_4769_si
    Exec CREATE STREAM windows_krb_4769_si WITH (tag='windows_krb_4769_si') AS SELECT StringInserts AS StringInserts FROM TAG:'windows' WHERE EventID = 4769;

With that STREAM TASK, I don't have any output at all in my file output, windows_krb_4769_si.
But with other field, like for example EventID, is working normally:

[STREAM_TASK]
    Name windows_krb_4769_si
    Exec CREATE STREAM windows_krb_4769_si WITH (tag='windows_krb_4769_si') AS SELECT EventID AS EventID FROM TAG:'windows' WHERE EventID = 4769;

The content of the file output, windows_krb_4769_si:
windows_krb_4769_si: [1691604225.905930757, {"EventID":4769,"tag":"windows_krb_4769_si"}]

Obtain StringInserts field is only possible with "SELECT *":

[STREAM_TASK]
    Name windows_krb_4769
    Exec CREATE STREAM windows_krb_4769 WITH (tag='windows_krb_4769') AS SELECT * FROM TAG:'windows' WHERE EventID = 4769;

I'm trying to do something as simple as parse the StringInserts array, to add a name to every field (the corresponding name from "Message" field), but I can't, because parsing on Message field is not working, and parsing on StringInserts is not working too, :(

Anybody tried something similar?

Thanks in advance for your help.