Getting Data In

How to create props.conf and transforms.conf to change the fields name of a CEF event

Federica_92
Communicator

Hi everyone,

I'm receiving logs in arcsight format, for example:

 <131>Oct  8 12:06:49 servename ASM:CEF:0|F5|ASM|11.5.3|Header name with no header value|HTTP protocol compliance failed|5|dvchost=servename dvc=x.x.x.x cs1=/Common/xxx cs1Label=policy_name cs2=/Common/xxx cs2Label=http_class_name deviceCustomDate1=Jul 03 2015 10:53:44 deviceCustomDate1Label=policy_apply_date externalId=8938493 act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=45391 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Oct 08 2015 12:06:49 deviceExternalId=1 cs4=N/A cs4Label=attack_type cs6=IE cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A ...

splunk it's correctly extracting the field as:

cn1=200 
cn1Label=response_code
cs4=attack_HTTP
labelcs4=attack_description

But I need to change the name of the fields from cn1 to "response_code" and delete cn1Label, or from cs4 to "attack_description", and to delete cs4label, is there anyway to do this in the props.conf/transform.conf file?
Could please someone help me?

Thanks

0 Karma

woodcock
Esteemed Legend

I just realized that there is another way to interpret your question. Perhaps you are seeking to have a dynamic field creation based on these 4 fields such that this example set (which could be different for every event):

cn1=200 
cn1Label=text_for_field_name_cn1
cs4=attack_HTTP
labelcs4=text_for_field_name_cs4

Will morph to this:

text_for_field_name_cn1=200
text_for_field_name_cs4=attack_http

To do this, you need these configurations:

props.conf:

[YourSourcetypeHere]
REPORT-swappy_KVP = swappy_KVP

transforms.conf:

[swappy_KVP]
REGEX = =([^=]*)\s+[^=]*?Label=([\S]*)
FORMAT = $2::$1
MV_ADD = 1

Federica_92
Communicator

thanks, I'm trying by now

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is the value of cn1Label and cs4Lable field fixed, OR they can change?

0 Karma

woodcock
Esteemed Legend

The only way to create index-time fields is to modify the raw event data itself before it gets indexed. I highly advise you to NOT do this. What you can do instead, is create search-time field aliases like this inside props.conf:

[YourSourcetypeHere]
FIELDALIAS-acme = cn1 as response_code cs4 as attack_description
0 Karma

Federica_92
Communicator

I'm trying using this way, I did exactly as you wrote here so cn1 as response_code, but when I add the new logs in splunk the field name is not changing...
I'm using a cluster, I placed the file under master-app/_cluster/local and next I did the bundle, could this be the reason of the problem?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...