I have events that return different structured fields depending on the value of a field called TYPE. This all comes from the same sourcetype. For example: if type=TYPE1, I might have fields called: TYPE1.exe, TYPE1.comm, TYPE1.path, TYPE1.filename if type=TYPE2, I might have fields called: TYPE2.comm, TYPE2.path, TYPE2.host As you can see, each type brings a different set of base fields. We are using data model searches so I want to get these base fields into CIM compliance. Is there a way to create stanzas in props.conf or transforms.conf that will allow me to field alias these values based on the type value? I tried straight-out field aliasing in props.conf only to find I was actually overwriting values due to precedence/order of my field alias commands. Thanks in advance,
... View more