I'm receiving logs in arcsight format, for example:
<131>Oct 8 12:06:49 servename ASM:CEF:0|F5|ASM|11.5.3|Header name with no header value|HTTP protocol compliance failed|5|dvchost=servename dvc=x.x.x.x cs1=/Common/xxx cs1Label=policy_name cs2=/Common/xxx cs2Label=http_class_name deviceCustomDate1=Jul 03 2015 10:53:44 deviceCustomDate1Label=policy_apply_date externalId=8938493 act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=45391 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Oct 08 2015 12:06:49 deviceExternalId=1 cs4=N/A cs4Label=attack_type cs6=IE cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A ...
splunk it's correctly extracting the field as:
cn1=200 cn1Label=response_code cs4=attack_HTTP labelcs4=attack_description
But I need to change the name of the fields from cn1 to "responsecode" and delete cn1Label, or from cs4 to "attackdescription", and to delete cs4label, is there anyway to do this in the props.conf/transform.conf file?
Could please someone help me?
I just realized that there is another way to interpret your question. Perhaps you are seeking to have a dynamic field creation based on these 4 fields such that this example set (which could be different for every event):
cn1=200 cn1Label=text_for_field_name_cn1 cs4=attack_HTTP labelcs4=text_for_field_name_cs4
Will morph to this:
To do this, you need these configurations:
[YourSourcetypeHere] REPORT-swappy_KVP = swappy_KVP
[swappy_KVP] REGEX = =([^=]*)\s+[^=]*?Label=([\S]*) FORMAT = $2::$1 MV_ADD = 1
The only way to create index-time fields is to modify the raw event data itself before it gets indexed. I highly advise you to NOT do this. What you can do instead, is create search-time field aliases like this inside
[YourSourcetypeHere] FIELDALIAS-acme = cn1 as response_code cs4 as attack_description
I'm trying using this way, I did exactly as you wrote here so cn1 as responsecode, but when I add the new logs in splunk the field name is not changing...
I'm using a cluster, I placed the file under master-app/cluster/local and next I did the bundle, could this be the reason of the problem?