![]() So, on nf (on UF) įor index time field extraction, put on indexer, else on Search Head props. ![]() On indexer side, you extract those categorization fields and put into separate fields which you can use during searching/reporting. They will be set on Client (with whatever method you've in place). What you can do is that you can set value of host (this can be set in nf on UF) to a combination of whatever values you want to assign, say concatenated by colon or something. If this doesn't help you get what you want, I hope someone else in the community can provide a better solution. However, I can suggest one workaround using which you can send/set multiple values that can be later used for categorization of the data coming from the client. Please do NOT set a host or source attribute in nf. Well, both the options I suggested manipulate based on client (host value coming from forwarder) only. As a requirement for the configurations to apply correctly the inputs on the WEC have to be tagged with the sourcetype WinEventlog:ForwardedEvents oder XmlWinEventlog:ForwardedEvents (if renderXml is set to true). The question I have is, how could I have 'multiple' such added fields specified by the universal forwarder? I know there is folklore saying doing this on the forwarder side is somehow evil or something, but we're talking about adding under a half-dozen custom fields (?) for all the events coming from the forwarder computer.Īny suggestions other than pointers to the impossibly unreadable/abstract/no-examples docs which I've wasted tens of hours on already? Just like specifying which index to use, I also specify _meta = somename::value in nf. I stumbled across the _meta construct in nf, which works well enough for 'one' custom field. Since VMs come and go, we can't do any persistent mapping of which computer has these added characteristics (host-n.n.n.n might be dev today, prod tomorrow), but the 'data' is persistent. This table indicates the CIM datamodels and tags that apply to Palo Alto Networks data. For example, a particular computer might be from project-X and be in a environment of test or prod or development. The Palo Alto Networks Add-on is fully compliant with the Common. We're trying to find a way to have the universal forwarder send data to the indexer essentially pre-marked with a small number of custom fields (or the like) that we can later search on.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |