Solved: How to set a new field at index-time based on matc...

lukasz92 · ‎01-09-2015

I am trying to parse a complicated log for malware data model.

I want to set a new field: action="allowed" or action="blocked" - based on matching event pattern. (simple: some string in my language). I want to do it at index time - not with using any query (eval).

Is it possible and how to do it?

lukasz92 · ‎01-09-2015

I have done it with transforms, like this:

transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked

and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1

View solution in original post

lukasz92 · ‎01-09-2015

I have done it with transforms, like this:

transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked

and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1

How to set a new field at index-time based on matching event pattern?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How to set a new field at index-time based on matching event pattern?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases