I have UFs installed on some sql servers that forward certain events (according to eventID) to my Splunk. I have created a search query to parse out the data need to make a nice table. However, ideally I'd like to do this at ingest time instead of at search. I was told by my manager to research props.conf and transforms.conf and here I am 🙂 Not sure if that is the proper route or if there are other suggestions. Thank you. index="wineventlog"
| rex field=EventData_Xml (server_principal_name:(?<server_principal_name>\S+))
| rex field=EventData_Xml (server_instance_name:(?<server_instance_name>\S+))
| rex field=EventData_Xml (action_id:(?<action_id>\S+))
| rex field=EventData_Xml (succeeded:(?<succeeded>\S+))
| table _time, action_id, succeeded, server_principal_name, server_instance_name
... View more