Does anyone know of a way to control execution of transforms based on a non-metadata property of an event?
I have a collection of 100+ regular expressions which extract values using strongly typed field names within windows security logs. I don't want Splunk to have to execute 100+ regular expressions against every event. Ideally, I would like to control Splunk behavior such that only certain extraction rules are executed against events having certain patterns (in my case, EventCodes) within the sourcetype. Is there a way to do this?
Here is an example of the sort of logic I would like to be able to apply