Hi,
I need to look at the raw events coming in from Office 365- which is JSON formatted,
and then route them based upon the content.
I want to route them based upon the "Workload" field that is coming in. Has anyone done this?
Here's a sample of the field:
"Workload": "AzureActiveDirectory"}
You could use ingest-time eval, if you have Splunk 7.2+.
https://docs.splunk.com/Documentation/Splunk/latest/Data/IngestEval
props.conf:
[o365:management:activity]
TRANSFORMS = o365index
transforms.conf option 1: manually choose index based on Workload field:
[o365index]
INGEST_EVAL = index=case(match(_raw,"\"Workload\":\s\"AzureActiveDirectory\"}"),"index1",match(_raw,"\"Workload\":\s\"Exchange\"}"),"index2",true(),"index3")
transforms.conf option 2: dynamically choose index based on Workload field, index will have same name as Workload (o365:exchange, o365:sharepoint, etc.)
[o365index]
INGEST_EVAL =
index="o365:".lower(replace(_raw,".*?\"Workload\":\s\"([^\"]+).*","\1"))
Sounds spot on for transforms.conf. The spec file has an example:
[AppRedirect]
REGEX = \"Workload\"\:
DEST_KEY = _MetaData:Index
FORMAT = VerboseIndex
This post route data to indexes based on fields provides more detail.