Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Remove metadata.
- [replace_event]
- LOOKAHEAD=100000000
- REGEX="Event":(.*)}$
- FORMAT=$1
- DEST_KEY=_raw
- SOURCE_KEY=_raw
- [set_Host_value]
- REGEX = "host":"([a-zA-Z0-9-]{1,25})",
- FORMAT = host::$1
- SOURCE_KEY=_raw
- DEST_KEY = MetaData:Host
- [set_Source_value]
- REGEX = "source":"([^\}\{,\"]*)",
- FORMAT = source::$1
- SOURCE_KEY=_raw
- DEST_KEY = MetaData:Source
- [set_Index_value]
- REGEX = "index":"([a-zA-Z:_]*)",
- FORMAT = $1
- SOURCE_KEY=_raw
- DEST_KEY = _MetaData:Index
- [set_SeverityID]
- REGEX = "SeverityID":([-0-9]{1,3}),
- FORMAT = SeverityID::$1
- SOURCE_KEY=_raw
- WRITE_META = true
- [set_Component]
- REGEX = "Component":"([^\}\{,\"]*)",
- FORMAT = Component::$1
- SOURCE_KEY=_raw
- WRITE_META = true
- [set_SessionID]
- REGEX = "SessionID":"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})",
- FORMAT = SessionID::$1
- SOURCE_KEY=_raw
- WRITE_META = true
- [set_ComputerName]
- REGEX = "ComputerName":"([a-zA-Z0-9-]{1,25})",
- FORMAT = ComputerName::$1
- SOURCE_KEY=_raw
- WRITE_META=true
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
