I'm using the kv plugin to extract data from Windows ForwardedEvents. Typical data to process looks like:
Client Version: 1.21.204.0
Client Policy ID: e964d551-3d3c-4a8f-8b9c-a99cce9b7ce5
IP Addresses: 192.168.0.10
Process Name: MSIP.App
Action: Download Policy
KV splits by ':' into, e.g.Client Version" : "1.21.204.0"
I can't find a way to generate the fieldnames replacing the space and lowercasing, e.g."Client Version" -> "client_version"
There is a large number of fields to deal with so I would rather process them programatically than explicitly change each one by name.
Is there a way to do this?
You can use a ruby filter. I'm pretty sure examples of that have been posted in the past.
Thanks. I'm not a ruby programmer but I tried this. It didn't work. I'm sure my mistake is blindingly obvious...
ruby{
code => "
event.to_hash.each { |k,v|
k.gsub(/[ ]/, '_')
}
"
}
Okay, this is what I did ... eventually:
ruby{
# rename fields to lowercase replacing space with _
code => "
event.to_hash.keys.each { |key|
v = event.get(key)
event.remove(key)
event.set(key.gsub(/ /, '_').downcase, v)
}
"
}
system
May 14, 2018, 1:59pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.