Getting Data In

How to set a new field at index-time based on matching event pattern?

lukasz92
Communicator

I am trying to parse a complicated log for malware data model.

I want to set a new field: action="allowed" or action="blocked" - based on matching event pattern. (simple: some string in my language). I want to do it at index time - not with using any query (eval).

Is it possible and how to do it?

Tags (3)
0 Karma
1 Solution

lukasz92
Communicator

I have done it with transforms, like this:

transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked

and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1

View solution in original post

0 Karma

lukasz92
Communicator

I have done it with transforms, like this:

transforms.conf:
[test1_blocked1]
DEST_KEY = _meta
REGEX = wrgtg trg thrhtryhth
FORMAT = action::blocked

and props.conf:
[sourcetype1]
TRANSFORMS-test = test1_blocked1

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...