https://community.splunk.com/t5/Getting-Data-In/AWS-Logs-via-Lamda-to-HF-drop-preceding-key-from-fieldname/m-p/673181#M112754 <P>Hello, I've got a Lamda function exporting AWS logs via HEC to my HF's to my indexers.<BR /><BR />Unfortunately, the AWS logs are coming in with event.* as all of the field names, whereas the Splunk_TA_aws addon is expecting *.<BR /><BR />I can easily do a rename event.* as a *, however that's too late for the out of the box props.conf's to take effect. This causes things like the the<BR /><BR />"FIELDALIAS-eventName-for-aws-cloudtrail-command = eventName AS commandrename eventName as command"<BR /><BR />in props.conf to fail unless I go in and modify it to be event.eventName. I'd like to fix this before it gets to SPL. Is there a way to do this easily? Thanks!</P> Wed, 03 Jan 2024 21:25:46 GMT cybersecnutant 2024-01-03T21:25:46Z https://community.splunk.com/t5/Getting-Data-In/AWS-Logs-via-Lamda-to-HF-drop-preceding-key-from-fieldname/m-p/673181#M112754 <P>Hello, I've got a Lamda function exporting AWS logs via HEC to my HF's to my indexers.<BR /><BR />Unfortunately, the AWS logs are coming in with event.* as all of the field names, whereas the Splunk_TA_aws addon is expecting *.<BR /><BR />I can easily do a rename event.* as a *, however that's too late for the out of the box props.conf's to take effect. This causes things like the the<BR /><BR />"FIELDALIAS-eventName-for-aws-cloudtrail-command = eventName AS commandrename eventName as command"<BR /><BR />in props.conf to fail unless I go in and modify it to be event.eventName. I'd like to fix this before it gets to SPL. Is there a way to do this easily? Thanks!</P> Wed, 03 Jan 2024 21:25:46 GMT https://community.splunk.com/t5/Getting-Data-In/AWS-Logs-via-Lamda-to-HF-drop-preceding-key-from-fieldname/m-p/673181#M112754 cybersecnutant 2024-01-03T21:25:46Z https://community.splunk.com/t5/Getting-Data-In/AWS-Logs-via-Lamda-to-HF-drop-preceding-key-from-fieldname/m-p/673434#M112780 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/151299">@cybersecnutant</a>,</P><P>If we assume your events are JSON-formatted:</P><LI-CODE lang="javascript">{"event.field1": "value1", "event.field2": "value2", "event.field3": "value3"}</LI-CODE><P>you can remove the event. field prefix using SEDCMD in props.conf on your heavy forwarder:</P><LI-CODE lang="javascript"># local/props.conf [your_sourcetype] SEDCMD-strip-event = s/"event\.([^"]+)"/"\1"/g</LI-CODE><P>or a combination of RULESET in props.conf and a transform in transforms.conf (together, an ingest action) on either your heavy forwarder or your indexer(s):</P><LI-CODE lang="javascript"># local/props.conf [your_sourcetype] RULESET-strip-event = strip-event # local/transforms.conf [strip-event] INGEST_EVAL = _raw:=replace(_raw, "\"event\.([^\"]+)\"", "\"\\1\"")</LI-CODE><P>You can also reference the same INGEST_EVAL transform in a TRANSFORMS setting in props.conf. The difference is where in the pipeline the various methods execute. SEDCMD and TRANSFORMS execute between typingQueue and rulesetQueue (along the path for "raw" data), and RULESET executes between rulesetQueue and indexQueue (the injection point for parsed or "cooked" data).</P><P>Your final raw event would be:</P><LI-CODE lang="javascript">{"field1": "value1", "field2": "value2", "field3": "value3"}</LI-CODE> Sat, 06 Jan 2024 17:07:24 GMT https://community.splunk.com/t5/Getting-Data-In/AWS-Logs-via-Lamda-to-HF-drop-preceding-key-from-fieldname/m-p/673434#M112780 tscroggins 2024-01-06T17:07:24Z