Set variable Sourcetype based on Regex

NaorPenso · ‎06-29-2014

Hi Guys,
Quick question, i would like to set a sourcetype based on regex.
Meaning, considering these events:

CEF:0|Quest|Sourcetype1|||User member-of removed|Low| end=Jun 29 2014 15:16:03 sourceDnsDomain= XXXXX cn1=2 cn1Label=SeverityID suser=XXXXXXXX suid=~XXXXX shost=XXXXX.corp.test.com msg=The user Domain\\XXXXX$ was removed from the group XXXXX \\ XXXXX. sourceServiceName=user flexString1= XXXXX \\ XXXXX flexString1Label=Old Value flexString2= flexString2Label=New Value cs1= XXXXX \\ XXXXX $ cs1Label=user-dn cs2= XXXXX \\ XXXXX cs2Label=old-member-of duser= XXXXX$ deviceCustomDate1=Jun 29 2014 15:16:17 deviceCustomDate1Label=CA Time Received

CEF:0|Quest|Sourcetype3|||User member-of removed|Low| end=Jun 29 2014 15:16:03 sourceDnsDomain= XXXXX cn1=2 cn1Label=SeverityID suser=XXXXXXXX suid=~XXXXX shost=XXXXX.corp.test.com msg=The user Domain\\XXXXX$ was removed from the group XXXXX \\ XXXXX. sourceServiceName=user flexString1= XXXXX \\ XXXXX flexString1Label=Old Value flexString2= flexString2Label=New Value cs1= XXXXX \\ XXXXX $ cs1Label=user-dn cs2= XXXXX \\ XXXXX cs2Label=old-member-of duser= XXXXX$ deviceCustomDate1=Jun 29 2014 15:16:17 deviceCustomDate1Label=CA Time Received

CEF:0|Quest|Sourcetype4|||User member-of removed|Low| end=Jun 29 2014 15:16:03 sourceDnsDomain= XXXXX cn1=2 cn1Label=SeverityID suser=XXXXXXXX suid=~XXXXX shost=XXXXX.corp.test.com msg=The user Domain\\XXXXX$ was removed from the group XXXXX \\ XXXXX. sourceServiceName=user flexString1= XXXXX \\ XXXXX flexString1Label=Old Value flexString2= flexString2Label=New Value cs1= XXXXX \\ XXXXX $ cs1Label=user-dn cs2= XXXXX \\ XXXXX cs2Label=old-member-of duser= XXXXX$ deviceCustomDate1=Jun 29 2014 15:16:17 deviceCustomDate1Label=CA Time Received

I would like to be able to extract the sourcetype (sourcetype1, sourcetype3, sourcetype4) based on a regex (which i haven't created yet, if anyone can assist with that as well that would be great).
I have looked into Variable Sourcetype Rule but did not find a way to do so.

Thanks in advance,
Naor

Ayn · ‎06-29-2014

Setup a TRANSFORMS rule in props.conf / transforms.conf. Something like this:

props.conf:

[originalsourcetype]
TRANSFORMS-changesourcetypes = changesourcetype1,changesourcetype2,changesourcetype3

transforms.conf:

[changesourcetype1]
REGEX = yourregexforsourcetype1
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype1

[changesourcetype2]
REGEX = yourregexforsourcetype2
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype2

[changesourcetype3]
REGEX = yourregexforsourcetype3
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sourcetype3

Set variable Sourcetype based on Regex

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor