All Apps and Add-ons

Microsoft Office 365: Regex to route events based upon content

a212830
Champion

Hi,
I need to look at the raw events coming in from Office 365- which is JSON formatted,
and then route them based upon the content.

I want to route them based upon the "Workload" field that is coming in. Has anyone done this?

Here's a sample of the field:

"Workload": "AzureActiveDirectory"}
0 Karma

spayneort
Contributor

You could use ingest-time eval, if you have Splunk 7.2+.

https://docs.splunk.com/Documentation/Splunk/latest/Data/IngestEval

props.conf:

[o365:management:activity]
TRANSFORMS = o365index

transforms.conf option 1: manually choose index based on Workload field:

[o365index]
INGEST_EVAL = index=case(match(_raw,"\"Workload\":\s\"AzureActiveDirectory\"}"),"index1",match(_raw,"\"Workload\":\s\"Exchange\"}"),"index2",true(),"index3")

transforms.conf option 2: dynamically choose index based on Workload field, index will have same name as Workload (o365:exchange, o365:sharepoint, etc.)

[o365index]
INGEST_EVAL =
index="o365:".lower(replace(_raw,".*?\"Workload\":\s\"([^\"]+).*","\1"))
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Sounds spot on for transforms.conf. The spec file has an example:

[AppRedirect]
REGEX = \"Workload\"\:
DEST_KEY = _MetaData:Index
FORMAT = VerboseIndex

This post route data to indexes based on fields provides more detail.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...