I am sending eve.json to our data lake using the installed Splunk Universal Forwarder on the IDS sensor. In reading over some of the docs that reference filtering and sending specific events. I see that one can use the transform.conf and props.conf. Within the /opt/splunkforwarder directory I see several props.conf files. I would like to ask which of these would be the one that I would add the requested filtering to.
The inputs file is properly configured to forwards all the events within the eve.json file. The issue that I have is that I would like to limit the forwarding to only alert events.
I found an article that proposed the use of the props.conf and transforms.conf file. Looking at the example for
In the example it says to edit props.conf and add the setnulll and setparsing. In the example they are attempting to only forward sshd events from a messages log file. I would like to use this with the eve.json file from suricata. The problem is that I only want the alerts and do not require all the other event types typical with this type of file. So I modified the below to filter the eve.json.
My question is which props.conf file do I add the below too?
[source::/xxx/xxx/eve.json]
TRANSFORMS-set= setnull,setparsing
Edit transforms.conf and add the following:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = \[“event_type”:”alert”\]
DEST_KEY = queue
FORMAT = indexQueueThank you
Jesus