| makeresults
| eval _raw="2018-02-01 09:45:58,Security risk found,IP Address: 10.X.X.X,Computer name: XXXXXXXX,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number: ,Source: Auto-Protect scan,Risk name: AngryIPScanner,Occurrences: 1,C:\Users\XXXXXXXX\Downloads\Unconfirmed 312246.crdownload,,Actual action: Left alone,Requested action: Quarantined,Secondary action: Deleted,Event time: 2018-02-01 09:42:32,Inserted: 2018-02-01 09:44:58,End: 2018-02-01 09:42:46,Last update time: 2018-02-01 09:45:58,Domain: Default,Group: My Company\Workstations\Windows\Unassigned,Server: Testsep02,User: XXXXXXXX,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: c:/program files (x86)/google/chrome/application/chrome.exe,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,Not on the permitted application list,Application hash: 1222D5AC68AB90DFCB14E3C2E2258D695DE12B27D3AADBBD94AA85A3A85D4701,Hash type: SHA2,Company name: ,Application name: ipscan-3.5.2-setup.exe,Application version: ,Application type: 127,File size (bytes): 3241092,Category set: Security risk,Category type: Security Assessment Tool,Location: Default"
| rex max_match=0 "(?<fieldname>[^,]+): (?<fieldvalue>[^,]+)"
| eval tmp=mvzip(fieldname,fieldvalue,"=")
AS this result:
transforms.conf
[your stanza]
REGEX = ([^,]+): ([^,]+)
FORMAT = $1::$2
Isn't this OK?
... View more