We just started ingesting Windows event logs from Microsoft Azure Storage (sourcetype = mscs:storage:table). We installed Microsoft Cloud Services add-on in one of our heavy forwarders and it forwards to our indexers.

When data gets indexed, the host field value has the name of the heavy forwarder, instead of the actual Windows host. And the actual Windows host name is represented in a field called, RoleInstance.

********************Example***************
Channel: Security

DeploymentId: be79887e-
Description: Key file operation.

Subject:
Security ID: S-1-5-18
Account Name: AZDC$
Account Domain: F
Logon ID: 0x3E7

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: {55C5AD0C-}
Key Type: Machine key.

Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
Operation: Read persisted key from file.
Return Code: 0x0
EventId: 5058

EventTickCount: 6369

EventTickCount@odata.type: Edm.Int64

Level: 0

Opcode: 0

PartitionKey: 06
Pid: 708

PreciseTimeStamp: 2019-05-13T17:16:58.0636879Z

PreciseTimeStamp@odata.type: Edm.DateTime

ProviderGuid: {5484962-}
ProviderName: Microsoft-Windows-Security-Auditing

RawXml:

Role: IaaS

RoleInstance: _AZDC

RowIndex: 000000

Is there a way to change that? or Is this something that I will have to use transform.conf and Props.conf?

If so, how would I have to write regex so it will extract the actual server name from RoleInstance field?

****The Raw event starts like this **********
{"DeploymentId": "be798", "EventTickCount@odata.type": "Edm.Int64", "RoleInstance": "_AZDC", "TIMESTAMP@odata.type": "Edm.DateTime", "odata.etag":