I am trying to parse a complicated log for malware data model.
I want to set a new field: action="allowed" or action="blocked" - based on matching event pattern. (simple: some string in my language). I want to do it at index time - not with using any query (eval).
Is it possible and how to do it?
I have done it with transforms, like this:
transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked
and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1
I have done it with transforms, like this:
transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked
and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1