Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set a new field at index-time based on matching event pattern?

lukasz92
Communicator
‎01-09-2015 03:08 AM

I am trying to parse a complicated log for malware data model.

I want to set a new field: action="allowed" or action="blocked" - based on matching event pattern. (simple: some string in my language). I want to do it at index time - not with using any query (eval).

Is it possible and how to do it?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukasz92
Communicator
‎01-09-2015 04:29 AM

I have done it with transforms, like this:

transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked

and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lukasz92
Communicator
‎01-09-2015 04:29 AM

I have done it with transforms, like this:

transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked

and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...