Use the Custom Extracted Properties function in JSA to expand normalized fields by adding custom fields for reports, searches, and the custom rules engine (CRE).
To extract proxy URLs, virus names, or secondary user names, review the following information:
Restrict your Custom Extracted Properties to a particular log source type or individual log source.
If your extracted property is applicable to only certain events, reduce the workload on JSA by limiting the extracted property to that event type.
By using custom extracted properties to optimize rules, reports and searches, custom rules engine can use the custom property. The processing of the extracted property moves to the time when the event is collected, as opposed to when it is searched. By default, custom extracted properties are processed when they are searched or displayed. Optimizing an extracted property minimizes the search time against the property.
The extracted property field is not indexed. However, when an event matches the property, it stores an index to the offset and length of the property, which reduces the amount of data that is searched.