[Oisf-users] padding eve.json with additional field
erik clark
philosnef at gmail.com
Mon Oct 1 12:32:20 UTC 2018
I would like to pad eve.json output for alerts with an additional
field, in the following manner:
{"ids_target":"https://myidshost.net/moloch/sessions?expression=ip==1.2.3.5:52311%20%26%26%20ip==1.2.3.4:46284"}
where 1.2.3.5:52311 is either the src or dest ip + its port, and
1.2.3.4:46284 is its complement.
This is trivial to do with logstash +elasticsearch, but I need to pull
these additional json values into Splunk, which doesn't have a rewrite
function to to this that I am aware of.
The goal is to have a Splunk clickable link like in Kibana. Please
advise! Thank you!!
More information about the Oisf-users
mailing list