noktork
commented
7 years ago You have to create a separate input, I recommend you use a NON-standard port like 1514 as an example. The under that input choose manage.
Here is where you create the input:
Klick the "Manage extractor" button for the Raw input you just created. Since is a new input you should NOT have any extractor, you now need to import my JSON extractor:
It's under actions, just paste the complete JSON code into the import dialog window. Sorry for the delay in my answer.
Good luck!
I've been trying to follow what you've done without success, I'm trying to extract the src and destination ip address, can you please provide some guidance ?