Solved: How to set a new field at index-time based on matc...

lukasz92 · ‎01-09-2015

I am trying to parse a complicated log for malware data model.

I want to set a new field: action="allowed" or action="blocked" - based on matching event pattern. (simple: some string in my language). I want to do it at index time - not with using any query (eval).

Is it possible and how to do it?

lukasz92 · ‎01-09-2015

I have done it with transforms, like this:

transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked

and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1

View solution in original post

lukasz92 · ‎01-09-2015

I have done it with transforms, like this:

transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked

and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1

How to set a new field at index-time based on matching event pattern?

Alpha Launch: AI-Assisted Auto-Schematization for CIM

Enterprise Security(ES) Essentials or Premier? Let's discuss Splunk ES Editions on ...

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 5

Join the Conversation

How to set a new field at index-time based on matching event pattern?

Alpha Launch: AI-Assisted Auto-Schematization for CIM

Enterprise Security(ES) Essentials or Premier? Let's discuss Splunk ES Editions on ...

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 5