Translating string in search string

derekf · ‎06-25-2018

In my search strings I often rename columns using "AS". Is there a way I can expose those as parameters so that when I generate a message.pot file they are included?

Or is it possible to define a macro or a .conf file that can be localized and then used in the search string?

Thanks

woodcock · ‎06-30-2018

Yes, of course. Here is a macro definition that I use to normalize fields coming out of CIM searches:

[Normalize_CIM_Fieldnames]
definition = rename list(*) AS * values(*) AS *\
\
| rename COMMENT AS "START WITH CIM DMs"\
\
| rename Authentication.Failed_Authentication.* AS *\
| rename Authentication.Successful_Authentication.* AS *\
| rename Authentication.Default_Authentication.Failed_Default_Authentication.* AS *\
| rename Authentication.Default_Authentication.Successful_Default_Authentication.* AS *\
| rename Authentication.Default_Authentication.* AS *\
| rename Authentication.Insecure_Authentication.* AS *\
| rename Authentication.Privileged_Authentication.Failed_Privileged_Authentication.* AS *\
| rename Authentication.Privileged_Authentication.Successful_Privileged_Authentication.* AS *\
| rename Authentication.Privileged_Authentication.* AS *\
| rename Authentication.* AS *\
\
| rename All_Changes.Auditing_Changes.* AS *\
| rename All_Changes.Endpoint_Changes.Filesystem_Changes.* AS *\
| rename All_Changes.Endpoint_Changes.Registry_Changes.* AS *\
| rename All_Changes.Endpoint_Changes.Endpoint_Restarts.* AS *\
| rename All_Changes.Endpoint_Changes.Other_Endpoint_Changes.* AS *\
| rename All_Changes.Endpoint_Changes.* AS *\
| rename All_Changes.Network_Changes.Device_Restarts.* AS *\
| rename All_Changes.Network_Changes.* AS *\
| rename All_Changes.Account_Management.Created_Accounts.* AS *\
| rename All_Changes.Account_Management.Deleted_Accounts.* AS *\
| rename All_Changes.Account_Management.Locked_Accounts.* AS *\
| rename All_Changes.Account_Management.Updated_Accounts.* AS *\
| rename All_Changes.Account_Management.* AS *\
| rename All_Changes.* AS *\
\
| rename IDS_Attacks.Application_Intrustion_Detection.* AS *\
| rename IDS_Attacks.Host_Intrustion_Detection.* AS *\
| rename IDS_Attacks.Network_Intrustion_Detection.* AS *\
| rename IDS_Attacks.* AS *\
\
| rename Malware_Attacks.Allowed_Malware.* AS *\
| rename Malware_Attacks.Blocked_Malware.* AS *\
| rename Malware_Attacks.Quarantied.Malware.* AS *\
| rename Malware_Attacks.* AS *\
\
| rename All_Traffic.Traffic_By_Action.Allowed_Traffic.* AS *\
| rename All_Traffic.Traffic_By_Action.Blocked_Traffic.* AS *\
| rename All_Traffic.Traffic_By_Action.* AS *\
| rename All_Traffic.* AS *\
\
| rename Web.Proxy.* AS *\
| rename Web.* AS *\
\
| rename COMMENT AS "NOW DO CUSTOM DMs"
errormsg = Description: Author=Gregg Woodcock
iseval = 0

derekf · ‎07-03-2018

Thank you for the response. I have not seen * used when renaming before. Do you think you would be able to explain this a little bit for me? Also, will this make the renamed columns exposed to the messages.pot file created when doing localization?

Thanks again.

derekf · ‎07-03-2018

Nevermind, it is simply a wildcard.
rename All_Traffic.* AS * would just be rename All_Traffic.(field) AS (field)

Still not sure how I can extract what fields are renamed to so I can localized them though.

Translating string in search string

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM