Solved: How to set a new field at index-time based on matc...

lukasz92 · ‎01-09-2015

I am trying to parse a complicated log for malware data model.

I want to set a new field: action="allowed" or action="blocked" - based on matching event pattern. (simple: some string in my language). I want to do it at index time - not with using any query (eval).

Is it possible and how to do it?

lukasz92 · ‎01-09-2015

I have done it with transforms, like this:

transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked

and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1

View solution in original post

lukasz92 · ‎01-09-2015

I have done it with transforms, like this:

transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked

and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1

How to set a new field at index-time based on matching event pattern?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to set a new field at index-time based on matching event pattern?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!