Re: How do I trim field names in a custom Add-On?

kentcoble · ‎04-23-2018

I've created an Add-On for my workplace that collects the serial numbers of motherboards and local drives. I've constructed the scripts to send this information back in a key=value format. Everything works great as data is fed back to the indexing server from the Universal Forwarder and I can search for the data without issues. Now, I'd like to trim the field names from showing up in the search results, but I'd like to program that into the Add-On.

For example, local drive serial numbers are saved as the sourcetype diskserial and motherboard serial numbers as systemserial. So if I search for either of these, ex. sourcetype=diskserial, the results show up as:

     diskserial     |      host
====================|==============
diskserial=abc12345 | foo.local.com
diskserial=def67890 | bar.local.com

I'd like for the diskserial= to be automagically trimmed off. This would make the output much cleaner and make report generation much easier for our admins. My understanding is that I have to include some kind of Regex in the props.conf file, but I'm not sure how that's supposed to work.

kentcoble · ‎04-23-2018

To clarify, this is an Add-On that gets pushed to workstations, i.e. all machines with the UniversalForwarder installed. The props.conf file would be the one included in the Add-On, not the UniversalForwarder props.conf or server-sided props.conf. I'm trying to package everything into the Add-On to make it as convenient as possible.

How do I trim field names in a custom Add-On?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases