I'd like to sanitize host names during search time in Splunk (IDS alerts), so users don't receive a hyperlink to the bad sites and the alerts don't get snagged by the mail filter. I'd like to keep the inline table results of the alerts for mobile users and general convenience.
For example, www.badsite.com is automatically hyperlinked in e-mail clients, so I'd like to prepend hxxp:// to the field so the sent alert message doesn't get hyperlink or dropped. By specifying a bogus protocol both fat mail client and mail scanner will pass the inline table without issue.
I found something about appending in the community, but that just shows a blank field during search for me (even when I assign httphostname without a period).
eval http.hostname=http.hostname."hxxp://" |
In theory, I'd like this to prepend and actually work:
eval http.hostname="hxxp://".http.hostname |
I'm using Splunk 6.3.2 in a clustered Linux environment, any help is appreciated.
Assuming that you have a field called http.hostname
then like this:
... | eval "http.hostname" = "hxxp://" . $http.hostname$
Or possibly this:
... | rex field="http.hostname" mode=sed "s/^http:/hxxp:/"
Assuming that you have a field called http.hostname
then like this:
... | eval "http.hostname" = "hxxp://" . $http.hostname$
Or possibly this:
... | rex field="http.hostname" mode=sed "s/^http:/hxxp:/"
This worked perfectly, thanks!
... | eval "http.hostname" = "hxxp://" . $http.hostname$
Try putting your field name with single quotes. Like this
| eval http.hostname="hxxp://".`http.hostname`
Error in 'SearchParser': The name 'http.hostname' is invalid. Macro and argument names may only include alphanumerics, '_' and '-'.