This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Change data in filed

Go to solution
Anonymous
Not applicable

‎2015-09-23 09:02 AM

Hello,

 

Maybe someone know how I can transform username or any other meta key from format1 to format2. For example, events from event source 1 come to SA in format "firstname.lastname", events from event source 2 come to SA in format "firstname lastname". Does anyone known how I can transform format 1 to format 2 or vice versa?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎2015-09-30 11:39 AM

If I read the question correctly, the difference is the dot "." in event source 1 vs a [space] in event source 2.

 

A parser with a meta callback should be able to do this.  If it is coming from a log source, I would suggest adjusting the parser to write to a temporary transient meta key.  Then, create a lua parser that will pick up the meta from the transient meta key, perform the string manipulation, and then write to the meta key of your choice (probably a common one to stay consistent).

 

Lua framework could look like this:

 

> tempuser = "chris.ahearn"

> myuser = string.gsub(tempuser, "%.", " ")

> print(myuser)

chris ahearn

 

 

> tempuser = "chris ahearn"

> myuser = string.gsub(tempuser, " ", ".")

> print(myuser)

chris.ahearn

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
Anonymous
Not applicable

‎2015-09-30 11:39 AM

If I read the question correctly, the difference is the dot "." in event source 1 vs a [space] in event source 2.

 

A parser with a meta callback should be able to do this.  If it is coming from a log source, I would suggest adjusting the parser to write to a temporary transient meta key.  Then, create a lua parser that will pick up the meta from the transient meta key, perform the string manipulation, and then write to the meta key of your choice (probably a common one to stay consistent).

 

Lua framework could look like this:

 

> tempuser = "chris.ahearn"

> myuser = string.gsub(tempuser, "%.", " ")

> print(myuser)

chris ahearn

 

 

> tempuser = "chris ahearn"

> myuser = string.gsub(tempuser, " ", ".")

> print(myuser)

chris.ahearn

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-10-02 04:07 AM

Hi! What is "parser with a meta callback"? Is this callback can be used with events comes from log source?

Could you please share some docs about lua parsers example and usage?

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2015-10-06 07:26 PM

A parser with a meta callback is basically reaching into the database for meta that was previously written.  For example, if i needed to perform some kind of string manipulation on 'alias.host', I would issue that as my token match as opposed to something from the raw network stream.

 

function roothost:hostMeta(index, host)

     rootDomain = do something

     nw.createMeta(self.keys["root.host"], rootDomain)

end

 

roothost:setCallbacks({

    [nwlanguagekey.create("alias.host")] = roothost.hostMeta,

    [nwevents.OnSessionEnd] = roothost.sessionEnd,

})

 

It is another way of doing something with meta that was previously added to the database...whether it was written or labeled as transient, which would not get written when the session was over.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.