Scenario:
format of data is JSON (see below example)
{
"client": {"ip": "...",...
...
"type": "snort"
}
{
"fw": {"iptables": "...",...
"client": {"ip": "...",...
...
"type": "firewall"
}{
"client": {"ip": "...",...
...
"type": "snort"
}
{
"fw": {"iptables": "...",...
"client": {"ip": "...",...
...
"type": "firewall"
}
I've tried using regexes like below to separate them.
props.conf
[udp:514]
TRANSFORMS-set_sourcetype = snort,firewall
transforms.conf
[snort]
REGEX = ^(.*?type\"\:)(?P<type>("([^}]|"")*"))
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$type
[firewall]
REGEX = ^(.*?type\"\:)(?P<type>("([^}]|"")*"))
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$type
Looking for the best method to assign the sourcetypes. I do not have control over the data structure or how it is sent to the UF.
A UF doesn't parse the data, so this functionality must be done on the indexer, or an HF. Your title for the question specifically states doing it on a UF, so the answer is, you can't. But you can do it on the indexers or an HF.
Why do you want to separate sourcetypes?
JSON is extracted fields appropriately .
If you search , you can use type=snort
or type=firewall
.