6 hours 3 minutes
bloom. Welcome back. The Splunk Enterprise Certified Administrator course on Cyber A. In this video, we're gonna be doing a lab where we talk about rerouting, basically indexed fields or default fields using props and transforms. So
what we have here to start with is example of some logs that we brought in in a previous lab. These logs here where they came from, those two Apache log files, we can ignore these ones. They came from a swap file that I had. I didn't mean to dio, but
basically the problem here is we can see that these logs have a clearly different log format from these ones. So technically, we don't want these logs to have the same source type they should have. They should each have their own. So in this lab, we're going to show you how you congest thes and then break them out.
Two different source type.
So we're gonna do that with props and transforms, and
we will just get started. We'll jump into that command line over here of the search head, which is the device we configure these inputs on on. The first thing that we need to do is, um
Well, first we're gonna have to stop Splunk,
and then we're gonna have to clean the fish buckets so that we can re ingest those two files
on. Then we will need to configure our props and transforms so that they'll do the source type, reroute for us, and then we need to start *** back up and make sure that I worked. So
we'll start by running our
queen event Data Index, The fish bucket.
So this is the command for cleaning the fish book it which will remove all those
markers so that it'll re ingest the monitored files. So that's good. Now we need Teoh. Go to our inputs dot com and we can see here that this is the stanza that setting the source type to sample one right now
we can leave that. But you can also just remove this entirely because we're going to do the reroute. Sometimes it's nice toe have this set. So if the reroute doesn't work, you can see Oh, data came in with this source type, so it didn't work. So we'll leave it for now and we will add up splitting into that,
we will add,
and we're gonna apply This transforms to that sample one source type
and we're gonna have three things we need to set Will be the deskee, the format and the Reg. Exe
deskee for this is going to be, um, the field that we're changing and in this case, where changing the source type
so we'll have to all need to go to the props dot com configuration actually transforms because there's a special syntax you need to use when you're re keying metadata field. So I want to make sure that I don't mess it up.
Just so happens that the last time I visited this I was on the same exact link.
So these air, though, values that you use to reference those keys. So this will be our deskee
in this example.
And then the format will be
source type colon colon, and then whatever the new value we want to make, it is. So let's look at the two logs that we had. I can't look in Splunk anymore.
Um, I think I have them open right here,
so or this is the This is the Apache access log.
So we're gonna use that
as the name. We'll just call it
Access and the Reg. Exe to match. This would be this one.
So we just going to say if it starts with three numbers
and it's this source type,
set the source type field to Apache access.
Then we need another one
for the other data. So we're going to copy this
on changing for the new rejects. The other logs, we can see this here in the background, start with a square bracket.
So we will just specify that, and then we'll call this Apache error.
Okay, so that is all we need in terms of transforms. We just need a register, match the field. We want to change the value we want to put in there and the data to apply it to.
Actually, I'm sorry. That's wrong.
This needs to be called
Were you out
and I'm gonna change this Teoh cam. Okay, so it's a little more readable
in the props is where we'll specify
the source type that we want to apply this to here. It's just a nor veterinary name. That was my mistake.
Apache access for your out.
So we're gonna need Teoh use those to exact names,
so I'm going to copy them out
we don't have any errors.
Okay, so now that that's made, we make our props.
that was gonna be an example for something else, but we will do that later. So this is going to apply to sample one is the source type we're gonna do transforms because we're calling Some transforms from transforms dot com. So this is what denotes that. It's attribute for that.
So then we just given an arbitrary name. We'll call it
Apache Source type three rounds
and we'll set this equal. Teoh these two values separated by a comma.
And so this will call those to transform stanzas and should apply.
So then this will happen when we start up Splunk and in just that data and should reroute everything properly so we don't have to worry about using a generic source site that doesn't properly define our data.
So let's run our start command,
get back to Splunk
on the way. We're going to check to see if this works.
IHS search for those new values.
We'll do Apache star
and for Law. So
so far, we have our Apache access
as well as our Apache error, so you can see that actually did work. And we can also check to make sure that all of them got rerouted properly, which they did. Otherwise we'd see a value there.
So that covers, basically rerouting that data that way. Now, there's one other thing I wanted to him on their head on, which is, um
how did not index data altogether?
So the way we're going to do this is we're gonna re do our props and transforms to discard one of these source types.
Um, except we're not gonna specified by source type of unspecified my rejects. But so we're gonna discard one of these
demonstrated how that's done. So
let's get back into our logs. Will need to stop Splunk again.
Hopefully, this will be a pretty quick demonstration. We could just switch some of the fields we already have. Well, that's loading. I'll find, um
this is gonna be the key
that we need to chain. No, not that one.
It's gonna be que
You must specify. No que So that's the setting will need. We will go back and we will clean
that event at again, so that will be able to read index that data again.
We will go back to our transforms, and we'll call this
so we'll keep this one. And we'll keep those debt that looked at a named Apache access.
And we'll call this,
um, Apache error.
no, no. You just about that. And we're going to say if it matches this rejects than the desk, he will be,
and format will be
no que And so this will tell it not to index the data.
And we just need to go back to our transforms
change it. So it reflects the new name.
or a props meant change this so that
our value is appropriate.
Um, and you know what? Actually,
I'm gonna switch this to sample to just to be sure that
let's go back to our inputs.
Call this sample to so all those configurations should be what we need.
And let's just run a restart.
Then we'll check it out and hopefully Ah, we'll see that this stata was logged
and this data was discarded.
Onley concern I could possibly see is we might see some of this old data still come up.
But if that is the case,
we'll see double the amount of events for our access logs. So this should dumped on 14 and this should remain the same.
So you can see that jumped to 14. And we still have Onley just this one log. So that means that data was successfully discarded and was not indexed. So that is how you basically filter out data. You could do it much more specifically, like you could look for events that are just junk,
like maybe this is just all hyphens, each of these spaces, and it just doesn't provide any data.
In those cases, you could write a rejects to drop that specifically, or, if it's like Windows, you could find specific of Ben codes that aren't good, etcetera, etcetera. But basically anything that matches a Rogic's pattern, you can choose to drop just to save on licensing.
But that is how you would change an index field. If you're using a different one, just make sure to get the proper value.
Uh, and make sure that you place this either on a heavy Florida or in indexer wherever parsing is first taking place because that's where this will be applied. But that's how you change your desk, your keys dynamically for your default fields, or choose not to
a K Index data.
So that wraps up this video, and I look forward to seeing you in the next one.
Certified Information Security Manager (CISM)
Cybrary's Certified Information Security Manager (CISM) training is a great fit for IT professionals looking ...
13 CEU/CPE Hours Available
Certificate of Completion Offered
The CompTIA Security+ SY0-501 certification course helps you develop your competency in topics such as ...
46 CEU/CPE Hours Available
Certificate of Completion Offered