Are you looking for a way to normalize data treatment and define the least common denominator of a source/domain of interest?
In other words, somehow, normalizing the data to match a common standard, using the same field names for equivalent events from different sources/vendors.
What if I tell you, you can use the same field/alias name across multiple rules and parse expressions to normalize a specific type of data into the same field/alias name?
This is possible using <a target="_blank" href="https://www.sumologic.com/">Sumo Logic's</a> Field Extraction Rules (aka. <a target="_blank" href="https://help-opensource.sumologic.com/docs/manage/field-extractions/">FER</a>)
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1664998815138/qMfBMpHJF.png" alt="image.png" />
Why normalize? Assume you receive logs with a field called user_name and some other logs with a field called usr. We can use field normalization to transform usr and user_name field name to just user, allowing the previous names user_name and usr to be correlated together behind the new user field in a search.
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1664998563375/P-PWqfjTV.png" alt="image.png" />
This way, the fields will be normalized so that the same search/monitor can evaluate messages from multiple data log sources. These fields provide a taxonomy that can be used to tie records from multiple vendors and products together in a standard way.
Normalization allows emulating common-name forms among different sources.
Now, you know. Give it a try!

Are you looking for a way to normalize data treatment and define the least common denominator of a source/domain of interest?

In other words, somehow, normalizing the data to match a common standard, using the same field names for equivalent events from different sources/vendors.

What if I tell you, you can use the same field/alias name across multiple rules and parse expressions to normalize a specific type of data into the same field/alias name?

This is possible using [Sumo Logic's](https://www.sumologic.com/) Field Extraction Rules (aka. [FER](https://help-opensource.sumologic.com/docs/manage/field-extractions/))

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1664998815138/qMfBMpHJF.png align="left")

Why normalize? Assume you receive logs with a field called *user_name* and some other logs with a field called *usr*.  We can use field normalization to transform *usr* and *user_name* field name to just **user**, allowing the previous names *user_name* and  *usr* to be **correlated** together behind the new **user** field in a search.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1664998563375/P-PWqfjTV.png align="left")

This way, the fields will be normalized so that the same search/monitor can evaluate messages from multiple data log sources.  These fields provide a taxonomy that can be used to tie records from multiple vendors and products together in a standard way.

**Normalization allows emulating common-name forms among different sources.**

Now, you know.  Give it a try!





sumologic normalize fields

Sumo Logic - Normalize logs with Field Extractions

CyberSecurity @ Splunk Ninja 🥷 | DataDog Tamer 🐾 | Wazuh Explorer 🧙‍♂️ | EkoParty 2021 🎉  & SANS DFIR 2022 🔑 Speaker. 
If you find my content useful you can buy me a coffee 🤗


CyberSecurity @ Splunk Ninja 🥷 | DataDog Tamer 🐾 | Wazuh Explorer 🧙‍♂️ | EkoParty 2021 🎉  &amp; SANS DFIR 2022 🔑 Speaker. 
If you find my content useful you can buy me a coffee 🤗


@WhatDoesKmean?

@WhatDoesKmean?

Sumo Logic - Normalize logs with Field Extractions