# Extractors

Extractors play a crucial role in the architecture of a SIEM. Their main task is to collect information from diverse data sources, standardize it and put it into a structured form to enable efficient security monitoring and analysis. In doing so, extractors offer a wide range of benefits, from detecting potential security threats to supporting compliance requirements.

<figure><img src="/files/CDISjgQaOCiPGFCMbbZo" alt=""><figcaption></figcaption></figure>

## Add Extractors&#x20;

Go to "**Add Extractor**". Now assign a meaningful name and briefly describe what it contains. Use the "**Add Matcher**" button to define the field from which the desired information is to be extracted.

In the "**Source Field Name**" section, select the field that is relevant for your purposes. In the "**Condition (Regex)**" section, enter a recurring string that can be found in all logs of the same type. In the "**Pattern (Regex)**" section, specify the part of the log from which you want to extract the information. Here you can use the provided regular expressions on the right side.

{% hint style="info" %}
You can also specify the same information as in the Pattern section in the Condition section. Note, however, that this requires additional CPU resources in most cases.
{% endhint %}

Once an expression has been matched, a Capturing Group opens where you can specify which standard field the extracted value or expression should be mapped to. Once you have added the extractor, all logs that match the specified pattern will be added to the defined standard field and the value defined as associated will be mapped into it.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enginsight.com/docs/manual/english/operation/platform/siem/extractors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.