topic Re: How to create props.conf and transforms.conf to change the fields name of a CEF event in Getting Data In

How to create props.conf and transforms.conf to change the fields name of a CEF event

Federica_92 — Tue, 29 Sep 2020 07:38:16 GMT

Hi everyone,

I'm receiving logs in arcsight format, for example:

 <131>Oct  8 12:06:49 servename ASM:CEF:0|F5|ASM|11.5.3|Header name with no header value|HTTP protocol compliance failed|5|dvchost=servename dvc=x.x.x.x cs1=/Common/xxx cs1Label=policy_name cs2=/Common/xxx cs2Label=http_class_name deviceCustomDate1=Jul 03 2015 10:53:44 deviceCustomDate1Label=policy_apply_date externalId=8938493 act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=45391 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Oct 08 2015 12:06:49 deviceExternalId=1 cs4=N/A cs4Label=attack_type cs6=IE cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A ...

splunk it's correctly extracting the field as:

cn1=200 
cn1Label=response_code
cs4=attack_HTTP
labelcs4=attack_description

But I need to change the name of the fields from cn1 to "response_code" and delete cn1Label, or from cs4 to "attack_description", and to delete cs4label, is there anyway to do this in the props.conf/transform.conf file?
Could please someone help me?

Thanks

Re: How to create props.conf and transforms.conf to change the fields name of a CEF event

woodcock — Tue, 20 Oct 2015 16:23:57 GMT

The only way to create index-time fields is to modify the raw event data itself before it gets indexed. I highly advise you to NOT do this. What you can do instead, is create search-time field aliases like this inside props.conf:

[YourSourcetypeHere]
FIELDALIAS-acme = cn1 as response_code cs4 as attack_description

Re: How to create props.conf and transforms.conf to change the fields name of a CEF event

somesoni2 — Tue, 20 Oct 2015 16:33:47 GMT

Is the value of cn1Label and cs4Lable field fixed, OR they can change?

Re: How to create props.conf and transforms.conf to change the fields name of a CEF event

woodcock — Tue, 20 Oct 2015 16:37:51 GMT

I just realized that there is another way to interpret your question. Perhaps you are seeking to have a dynamic field creation based on these 4 fields such that this example set (which could be different for every event):

cn1=200 
cn1Label=text_for_field_name_cn1
cs4=attack_HTTP
labelcs4=text_for_field_name_cs4

Will morph to this:

text_for_field_name_cn1=200
text_for_field_name_cs4=attack_http

To do this, you need these configurations:

props.conf:

[YourSourcetypeHere]
REPORT-swappy_KVP = swappy_KVP

transforms.conf:

[swappy_KVP]
REGEX = =([^=]*)\s+[^=]*?Label=([\S]*)
FORMAT = $2::$1
MV_ADD = 1

Re: How to create props.conf and transforms.conf to change the fields name of a CEF event

Federica_92 — Wed, 21 Oct 2015 08:13:28 GMT

thanks, I'm trying by now

Re: How to create props.conf and transforms.conf to change the fields name of a CEF event

Federica_92 — Tue, 29 Sep 2020 07:38:53 GMT

I'm trying using this way, I did exactly as you wrote here so cn1 as response_code, but when I add the new logs in splunk the field name is not changing...
I'm using a cluster, I placed the file under master-app/_cluster/local and next I did the bundle, could this be the reason of the problem?