I am using HTTP events collector on a search head directly. On this SH I am using API token to connect to get OKTA logs .
While doing this I am getting logs from other Opco's as well. Is there a way I can filter the events on SH before they get indexed or even after they get indexed.
I do not want events who has alternateid as 123@yahoo.com.
Sample log event -
{"outcome": {"result": "SUCCESS", "reason": null}, "transaction": {"type": "WEB", "detail": {}, "id": "Xo1bawKolLzMzd8K9kfu7QAAAfg"}, "uuid": "75a3359f-7956-11ea-bbe3-014a745a938e", "request": {"ipChain": [{"ip": "138.75.252.133", "source": null, "geographicalContext": {"postalCode": "18", "country": "Singapore", "city": "Singapore", "state": null, "geolocation": {"lon": 103.8547, "lat": 1.2929}}, "version": "V4"}, {"ip": "165.225.112.151", "source": null, "geographicalContext": {"postalCode": null, "country": null, "city": null, "state": null, "geolocation": {"lon": 105.0, "lat": 35.0}}, "version": "V4"}]}, "severity": "INFO", "version": "0", "eventType": "user.authentication.sso", "target": [{"type": "AppInstance", "detailEntry": {"signOnModeType": "SAML_2_0"}, "displayName": "Okta Org2Org", "id": "0oal0mtjt5nMLSHRs0h7", "alternateId": "CIAM MarshDev"}, {"type": "AppUser", "detailEntry": null, "displayName": "Mansi Mittal", "id": "0uam4poth8cW3A68j0h7", "alternateId": "123@gmail.com"}],
You can send these logs to null queue with below configurations in search head.
props.conf
[sourcetype_name]
TRANSFORMS-null_queue = data_nullq
transforms.conf
[data_nullq]
DEST_KEY = queue
REGEX = \"alternateId\"\:\s\"123@gmail\.com\"
FORMAT = nullQueue