Hello!
I'm struggling to understand how I can use the transforms.conf stanza's to rename dynamic set of field names, ideally using the output of of a separate extraction (or just a regex which may be able to match it).
My problem more specifically is, I receive a series of events from a server which are key'd using the action being performed; the data looks like the following:
name=steve host=xxx download.doc_name=myfile.doc download.doc_id=12345 download.doc_owner=jeff
name=jeff host=yyy rename.new_doc_name=renamed.xls rename.old_doc_name=original.xls rename.doc_owner=jeff
and so on, essentially events have static metadata like the user performing the action, and information about the system they are on as regular key=value, however, when it comes to the action taken, anything relating to the action is stored as (action.key)=value.
What I'm looking for is a way to use the transforms and props stanzas to dynamically modify the fields so we can use them in searches as if they were like the following:
name=steve host=xxx action=download doc_name=myfile.doc doc_id=12345 doc_owner=jeff
name=jeff host=yyy action=rename new_doc_name=renamed.xls old_doc_name=original.xls doc_owner=jeff
I'm able to get the action= item easily enough, however, I can't seem to find any way to then strip the action & period from the front of the rest of the other key=value pairs. I'm unable to just do this statically, as there are far more actions, with each having potentially their own individual key=value pairs (such as new_doc_name & old_doc_name for rename actions).
Ideally I'd like to be able to use this transform with a few different sourcetypes which have similar formatting to this (but we keep separate based on some other factors).
Anyone with more experience know if doing something like I mentioned is possible? Please note that trying to change the data before it indexes into Splunk is not currently an option.
↧