I am using Graylog to forward my windows events, all the events field names start with winlogbeat, but some are
_event_data_targetname and some are _event_data_Subjectname. This appears to be different based on windows event type.
Can I do a
if winlogbeats_event_data_targetnamedomain not null then
FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_event_data_TargetDomainName as Account_Domain
else
FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_event_data_SubjectDomainName as Account_Domain
Thanks!
You can do something like below
FIELDALIAS-winlogbeat_as_account_domain_target = winlogbeat_event_data_TargetDomainName as Account_Domain
FIELDALIAS-winlogbeat_as_account_domain_subject = winlogbeat_event_data_SubjectDomainName as Account_Domain
EVAL-winlogbeat_as_account_domain= coalesce(winlogbeat_as_account_domain_target , winlogbeat_as_account_domain_subject )
Calculated fields
https://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/definecalcfields
You can do something like below
FIELDALIAS-winlogbeat_as_account_domain_target = winlogbeat_event_data_TargetDomainName as Account_Domain
FIELDALIAS-winlogbeat_as_account_domain_subject = winlogbeat_event_data_SubjectDomainName as Account_Domain
EVAL-winlogbeat_as_account_domain= coalesce(winlogbeat_as_account_domain_target , winlogbeat_as_account_domain_subject )
Calculated fields
https://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/definecalcfields
Thank You!