Using Transfroms.conf to drop parts of a file path

defikes · ‎03-19-2021

I am new to using the Transfroms.conf and props.conf to manipulate data. The issue we are experiencing is in our WinEventLog data, we have a field that comes over as Creator Process Name

Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe

However most of the correlation searches are looking for process name, parent process name, etc. I have created a field alias to have the Creator Process Name also follow parent process name. I am trying to use Transforms and props in order to drop most of the file path for process name field, for example:

Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe

Process Name: splunkd.exe

Here is my current entry in Transfroms.conf

[Creator_Process_Name_as_process_name]
SOURCE_KEY = Creator_Process_Name
REGEX = \t\w:.*[\\](?<process_name>.*)\n
FORMAT = process_name::$1

and in Props.conf

TRANSFORMS-Creator_Process_Name_as_process_name = Creator_Process_Name_AS_process_name

Doesn't seem to be working like it should, I actually do get a process name populated but it is the whole flie path. Regex101 seems to show the Regex to be correct in just pulling the .exe

Vardhan · ‎03-19-2021

HI @defikes ,

In order to drop events which are having Process name you can use below props& transfroms.

props.conf

TRANSFORMS-dropevents = process_name

transforms.conf

[process_name]

REGEX = \t\w:.*[\\](.*)\n (test your regex before placing here)

DEST_KEY = queue
FORMAT = nullQueue