Created
December 5, 2022 03:25
-
-
Save 6d61726b760a/37e772f37f7101fa632d8093d3c917a5 to your computer and use it in GitHub Desktop.
splunkcloud: generate hec input stanza from splunkclound config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rest splunk_server=local /services/data/inputs/http | |
``` | |
some fields may not be populated so | |
we try to come up with sane defaults | |
``` | |
| eval allowQueryStringAuth = if(isnull(allowQueryStringAuth), "false", allowQueryStringAuth) | |
| eval useACK = if(isnull(useACK), "false", useACK) | |
| eval indexes = if(isnull(indexes), index, mvjoin(indexes, " ")) | |
| fillnull value="" sourcetype | |
| rex field=title ".*\/\/(?<x_description>[^\$]+)" | |
| eval description = if(isnull(description), x_description, description) | |
| eval newline = " | |
" | |
``` | |
and create our stanza | |
``` | |
| eval stanza = "[" . title . "]" . newline . | |
"description = " . description . newline . | |
"token = " . token . newline . | |
"indexes = " . indexes . newline . | |
"index = " . index . newline . | |
"sourcetype = " . sourcetype . newline . | |
"useAck = " . useACK . newline . | |
"allowQueryStringAuth = " . allowQueryStringAuth | |
| fields stanza |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment