Conditional execution of transforms based on prope...

dstaulcu · ‎06-14-2018

Does anyone know of a way to control execution of transforms based on a non-metadata property of an event?

I have a collection of 100+ regular expressions which extract values using strongly typed field names within windows security logs. I don't want Splunk to have to execute 100+ regular expressions against every event. Ideally, I would like to control Splunk behavior such that only certain extraction rules are executed against events having certain patterns (in my case, EventCodes) within the sourcetype. Is there a way to do this?

Here is an example of the sort of logic I would like to be able to apply

Props.conf:
[source::WinEventLog:Security]
REPORT-wineventlog_security_subject_extractions_1 = if(match(EventCode,(4624|4624),"wineventlog_security_subject_extractions_1",noop)

Transforms.conf:
[wineventlog_security_subject_extractions_1]
SOURCE_KEY = _raw
REGEX = Subject :\s+Security ID:\s+(.)\s+Account Name:\s+(.)\s+Account Domain:\s+(.)\s+Logon ID:\s+(.)
FORMAT = Subject_SID::$1 Subject_Account_Name::$2 Subject_Account_Domain::$3 Subject_Logon_ID::$4

a_naoum · ‎05-19-2020

Did you found any solution on this?

Conditional execution of transforms based on property of event

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

Conditional execution of transforms based on property of event

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar