Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

WEC-EventCollector add permanent field to sourcetype search

zach-keener
Explorer
‎03-06-2024 08:48 AM

How would I add a permanent search or field to a sourctype? 
For example: I have a set of a data that I have been able to snag a field out of using this search

sourcetype="collectedevents" | rex field=_raw "<Computer>(?<Computer>[^<]+)</Computer>"

Our sourcetype is "collectedevents" 

And I found the way to pull the <Computer> field that was in the XML data down to a field "Computer"

But what I would like to be able to do is to have that field be permanent, or transpose the "host =" to not be the host of the WEC but the host of the origin server that it came from.

 

Long story short, we have servers that we don't want the Splunk Forwarder on because we know that it can execute scripts creating a vulnerability with the Splunk Forwarder on these servers.  Any help is appreciated, thank you!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marnall
Builder
‎03-10-2024 12:34 PM

This can be done by adding a props and transforms config file on the indexer machines. As an example, you could push an app to your indexers with:

/<appname>/local/props.conf

containing:

[collectedevents]
# change_host and changehostfield are arbitrary values. Change how you like
TRANSFORMS-change_host = changehostfield

 -and-

/<appname>/local/transforms.conf

containing:

# Stanza name must match whatever you set the "changehostfield" value in props.conf
[changehostfield]
DEST_KEY = Metadata:Host
# Add your regex below
REGEX=<Computer>([^<]+)<\/Computer>
FORMAT = host::$1

 

Then the indexers should replace the host field with the value in the XML <Computer> field

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-10-2024 01:34 PM

1. If you can get the events in XML into your Splunk, you can just use the default xml windows event format from TA_windows. Unfortunately it's not that easy with third party tools (there are some of them which are supposed to be able to do it but I've never tested it)

2. If you use WEF, why not use UF on the collector host?

3. Using regex on structured data is not the best idea.

0 Karma
Reply
Solved! Jump to solution
Solution

marnall
Builder
‎03-10-2024 12:34 PM

This can be done by adding a props and transforms config file on the indexer machines. As an example, you could push an app to your indexers with:

/<appname>/local/props.conf

containing:

[collectedevents]
# change_host and changehostfield are arbitrary values. Change how you like
TRANSFORMS-change_host = changehostfield

 -and-

/<appname>/local/transforms.conf

containing:

# Stanza name must match whatever you set the "changehostfield" value in props.conf
[changehostfield]
DEST_KEY = Metadata:Host
# Add your regex below
REGEX=<Computer>([^<]+)<\/Computer>
FORMAT = host::$1

 

Then the indexers should replace the host field with the value in the XML <Computer> field

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...