- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to create props.conf and transforms.conf to ch...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create props.conf and transforms.conf to change the fields name of a CEF event
Hi everyone,
I'm receiving logs in arcsight format, for example:
<131>Oct 8 12:06:49 servename ASM:CEF:0|F5|ASM|11.5.3|Header name with no header value|HTTP protocol compliance failed|5|dvchost=servename dvc=x.x.x.x cs1=/Common/xxx cs1Label=policy_name cs2=/Common/xxx cs2Label=http_class_name deviceCustomDate1=Jul 03 2015 10:53:44 deviceCustomDate1Label=policy_apply_date externalId=8938493 act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=45391 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Oct 08 2015 12:06:49 deviceExternalId=1 cs4=N/A cs4Label=attack_type cs6=IE cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A ...
splunk it's correctly extracting the field as:
cn1=200
cn1Label=response_code
cs4=attack_HTTP
labelcs4=attack_description
But I need to change the name of the fields from cn1 to "response_code" and delete cn1Label, or from cs4 to "attack_description", and to delete cs4label, is there anyway to do this in the props.conf/transform.conf file?
Could please someone help me?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just realized that there is another way to interpret your question. Perhaps you are seeking to have a dynamic field creation based on these 4 fields such that this example set (which could be different for every event):
cn1=200
cn1Label=text_for_field_name_cn1
cs4=attack_HTTP
labelcs4=text_for_field_name_cs4
Will morph to this:
text_for_field_name_cn1=200
text_for_field_name_cs4=attack_http
To do this, you need these configurations:
props.conf:
[YourSourcetypeHere]
REPORT-swappy_KVP = swappy_KVP
transforms.conf:
[swappy_KVP]
REGEX = =([^=]*)\s+[^=]*?Label=([\S]*)
FORMAT = $2::$1
MV_ADD = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, I'm trying by now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the value of cn1Label and cs4Lable field fixed, OR they can change?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only way to create index-time fields is to modify the raw event data itself before it gets indexed. I highly advise you to NOT do this. What you can do instead, is create search-time field aliases like this inside props.conf:
[YourSourcetypeHere]
FIELDALIAS-acme = cn1 as response_code cs4 as attack_description
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying using this way, I did exactly as you wrote here so cn1 as response_code, but when I add the new logs in splunk the field name is not changing...
I'm using a cluster, I placed the file under master-app/_cluster/local and next I did the bundle, could this be the reason of the problem?
Harnessing Splunk’s Federated Search for Amazon S3
Infographic provides the TL;DR for the 2024 Splunk Career Impact Report
Enterprise Security Content Update (ESCU) | New Releases
