Is it possible (via scripts vs code modifications) to rename existing columns in a log file? The logging documentation has examples for filtering out specific events, or adding additional columns, but I couldn't find a reference for renaming.
Thanks,
-Dave
You can do something like this:
redef Log::default_field_name_map = {
["id.orig_h"] = "src",
["id.orig_p"] = "src_port",
["id.resp_h"] = "dst",
["id.resp_p"] = "dst_port",
};
Thanks for the pointer Daniel! I was able to find the documentation here: https://www.bro.org/sphinx-git/scripts/base/frameworks/logging/main.bro.html#id-Log::default_field_name_map
I also have this working at the filter level now as well and helps me reduce overhead on the Splunk side.
-Dave