How to convert a splunk transform into logstash

Hi all,

I have the following in the transform.conf of splunk:

REGEX = ([a-z]+)=([a-z]+)
FORMAT = $1::$2

What is bassicly does is convert the following search:
device="SFW" date=2016-11-13 time=12:53:08 timezone="CET" device_name="SFVUNL" device_id=C0100999CRJ6G4W log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=8 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="Secure Socket Layer Protocol" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="PortA" out_interface="" src_mac=00: 0:00: 0:00: 0 src_ip=10.222.8.22 src_country_code=R1 dst_ip=5.22.252.186 dst_country_code=NLD protocol="TCP" src_port=21473 dst_port=443 sent_pkts=8 recv_pkts=7 sent_bytes=2725 recv_bytes=2295 tran_src_ip= tran_src_port=0 tran_dst_ip=10.222.8.1 tran_dst_port=8080 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="2960042848" vconnid="" hb_health="No Heartbeat"

Into
field = value

like
field:device value:SFW
field:date value:2016-11-13
field:time value:12:53:08
etc. etc.

Is this possible with logstash ?

Thanks!

Yep, check out https://www.elastic.co/guide/en/logstash/current/plugins-filters-kv.html

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.