Microsoft Cloud Services Azure Security Recommendation logs: Field extractions module¶
Use case¶
Use this SPL2 module when you want to preserve the Splunk Add-on for Microsoft Cloud Services field-extraction behavior for mscs:azure:security:recommendation data in an SPL2 workflow. Modules are reusable building blocks that can be referenced from SPL2 pipelines instead of rewriting sourcetype-specific extraction logic by hand.
Version 0.1.0¶
Version 0.1.0 of the Microsoft Cloud Services Azure Security Recommendation logs: Field extractions module was released with the Splunk Add-on for Microsoft Cloud Services SPL2 content update.
Module details¶
Compatibility¶
This module is compatible with Splunk Add-on for Microsoft Cloud Services v6.2.0.
Module description¶
This module is generated from the add-on’s props.conf and transforms.conf knowledge objects. Its purpose is to preserve the same field-extraction, normalization, calculated-field, and lookup behavior that the add-on defines for the mscs:azure:security:recommendation sourcetype, but in reusable SPL2 form.
Supported sourcetype¶
This module applies to events with the mscs:azure:security:recommendation sourcetype.
Module outline¶
The module consists of helper functions followed by one exported function.
| Function name | Description | Configuration options |
|---|---|---|
apply_kv_mode |
Applies KV_MODE-based extraction behavior for the sourcetype when applicable. |
No configuration options. |
apply_extractions |
Applies regex-based extraction behavior derived from REPORT, EXTRACT, and TRANSFORMS knowledge objects. |
No configuration options. |
apply_normalizations |
Applies field alias behavior derived from FIELDALIAS knowledge objects. |
No configuration options. |
apply_calculations_on_fields |
Applies calculated-field behavior derived from EVAL knowledge objects. |
No configuration options. |
apply_lookups |
Applies lookup enrichments derived from LOOKUP knowledge objects when present. |
No configuration options. |
_flatten_json |
Flattens nested JSON data into top-level fields for downstream extraction logic. | No configuration options. |
mscs_azure_security_recommendation_field_extractions_function |
Exported module function for mscs:azure:security:recommendation events. |
No configuration options. |
Example usage¶
You can reference the exported function from a pipeline that targets mscs:azure:security:recommendation events, for example:
$pipeline = | from $source
| mscs_azure_security_recommendation_field_extractions_function
| into $destination