All Apps and Add-ons

How to change host field with other field during ingestion?

nathanpyen
New Member

We just started ingesting Windows event logs from Microsoft Azure Storage (sourcetype = mscs:storage:table). We installed Microsoft Cloud Services add-on in one of our heavy forwarders and it forwards to our indexers.

When data gets indexed, the host field value has the name of the heavy forwarder, instead of the actual Windows host. And the actual Windows host name is represented in a field called, RoleInstance.

********************Example***************
Channel: Security

DeploymentId: be79887e-
Description: Key file operation.

Subject:
Security ID: S-1-5-18
Account Name: AZDC$
Account Domain: F
Logon ID: 0x3E7

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: {55C5AD0C-}
Key Type: Machine key.

Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
Operation: Read persisted key from file.
Return Code: 0x0
EventId: 5058

EventTickCount: 6369

EventTickCount@odata.type: Edm.Int64

Level: 0

Opcode: 0

PartitionKey: 06
Pid: 708

PreciseTimeStamp: 2019-05-13T17:16:58.0636879Z

PreciseTimeStamp@odata.type: Edm.DateTime

ProviderGuid: {5484962-}
ProviderName: Microsoft-Windows-Security-Auditing

RawXml:

Role: IaaS

RoleInstance: _AZDC

RowIndex: 000000


Is there a way to change that? or Is this something that I will have to use transform.conf and Props.conf?

If so, how would I have to write regex so it will extract the actual server name from RoleInstance field?

****The Raw event starts like this **********
{"DeploymentId": "be798", "EventTickCount@odata.type": "Edm.Int64", "RoleInstance": "_AZDC", "TIMESTAMP@odata.type": "Edm.DateTime", "odata.etag":

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...