Feature Requests

Event Forwarding filtered by Content Pack extracted fields

We are trying to only forward specific NSX rules to Splunk. Rules that are in specific subnet ranges. I'd like the ability to do a filter on a regex search of vmw_nsx_firewall_dst or any of the other NSX fields.


Story :

Content packs contain Extracted Field definitions. These are source-specific parser rules which interpret the content of a log message and generate new key=value fields.


* Want to use such fields to control Event Forwarding, such as forwarding all logs of a given type.

* Expect a performance penalty higher than source-provided static fields or vip-tagging.

* Expect fields to short-circuit evaluation based on Additional Context, possibly requiring static string comparison to avoid regex overhead.


2 votes
Idea No. 481