Getting Data In
Highlighted

Conditional execution of transforms based on property of event

Builder

Does anyone know of a way to control execution of transforms based on a non-metadata property of an event?

I have a collection of 100+ regular expressions which extract values using strongly typed field names within windows security logs. I don't want Splunk to have to execute 100+ regular expressions against every event. Ideally, I would like to control Splunk behavior such that only certain extraction rules are executed against events having certain patterns (in my case, EventCodes) within the sourcetype. Is there a way to do this?

Here is an example of the sort of logic I would like to be able to apply

Props.conf:
[source::WinEventLog:Security]
REPORT-wineventlogsecuritysubjectextractions1 = if(match(EventCode,(4624|4624),"wineventlogsecuritysubjectextractions1",noop)

Transforms.conf:
[wineventlogsecuritysubjectextractions1]
SOURCEKEY = _raw
REGEX = Subject :\s+Security ID:\s+(.)\s+Account Name:\s+(.)\s+Account Domain:\s+(.)\s+Logon ID:\s+(.)
FORMAT = Subject
SID::$1 SubjectAccountName::$2 SubjectAccountDomain::$3 SubjectLogonID::$4

0 Karma
Highlighted

Re: Conditional execution of transforms based on property of event

Path Finder

Did you found any solution on this?

0 Karma