If you check the link i provided it reads - The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);
[your sourcetype]
SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g
As you can see, there are some assumptions here;
1) that all the stuff you want to rename ends in .exe
2) that they have at least a 4-digit value (i.e. greater than 1000)
3) that the binaries (i.e. field names) can contain only certain characters.
Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go. I agree with that approach , your could try rewriting your events in the header
... View more