Does anyone know of a way to control execution of transforms based on a non-metadata property of an event?
I have a collection of 100+ regular expressions which extract values using strongly typed field names within windows security logs. I don't want Splunk to have to execute 100+ regular expressions against every event. Ideally, I would like to control Splunk behavior such that only certain extraction rules are executed against events having certain patterns (in my case, EventCodes) within the sourcetype. Is there a way to do this?
Here is an example of the sort of logic I would like to be able to apply
Props.conf:
[source::WinEventLog:Security]
REPORT-wineventlog_security_subject_extractions_1 = if(match(EventCode,(4624|4624),"wineventlog_security_subject_extractions_1",noop)
Transforms.conf:
[wineventlog_security_subject_extractions_1]
SOURCE_KEY = _raw
REGEX = Subject :\s+Security ID:\s+(.)\s+Account Name:\s+(.)\s+Account Domain:\s+(.)\s+Logon ID:\s+(.)
FORMAT = Subject_SID::$1 Subject_Account_Name::$2 Subject_Account_Domain::$3 Subject_Logon_ID::$4
Did you found any solution on this?