Change value of field at index time based on condi...

shayhibah · ‎01-02-2020

Hi,

I am wondering if its possible t change value of field based on condition at index time.

For example:

If the log contains field X with value XX, then in case field Y exists, change Y value to YY.

Thanks

sanjeev543 · ‎01-02-2020

Why are you looking to change at index time ? Anyway, you have 2 options to replace Y with new value

1) using the Ingest-eval in transforms.conf
props.conf

[my_sourcetype]
TRANSFORMS-y = change_y

transforms.conf

[change_y]
INGEST_EVAL = y=if(x LIKE "%foo%","YY",'y')

But using this will override the other settings that you might have defined for this sourcetype at index time like REGEX,FORMAT..etc.
Please refer https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Transformsconf#transforms.conf.spec

2) Using the REGEX and FORMAT in transforms.conf to modify the _raw data itself

props.conf

[my_sourcetype]
TRANSFORMS-y = change_xy

transforms.conf

[change_xy]
REGEX = (x.*foo\s+)y.*
DEST_KEY = _raw
FORMAT = $1ynew_value

Please write REGEX to match your X with value XX , this will match event with X having XX and replace with X and with the newvalue that you update in FORMAT

If you are considering to update the Y value at search time, please update your props.conf as below,

[my_sourcetype]
...
<your props configs>
....
EVAL-Y = if(x LIKE "%XX%","YY",'Y')

shayhibah · ‎01-02-2020

hi @sanjeev543

The reason I asked about index time is because I would like to change my values to the values Enterprise Security needs to get.

Is it possible to do this on search time and it will be OK for ES too?

sanjeev543 · ‎01-03-2020

Yes, if that's the only reason, please prefer using the search time and if you are able to solve the issue using my solution. Please mark the answer as accepted 🙂

Change value of field at index time based on condition

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!