Submit your idea here. Craft an eye-catching title and compelling description to win support for your idea. Specify the campaign to which the idea belongs and assign tags to make your idea easily searchable.
Answer all the questions for a complete idea submission. Complete ideas are easier to implement.
Event Forwarding filtered by Content Pack extracted fields
We are trying to only forward specific NSX rules to Splunk. Rules that are in specific subnet ranges. I'd like the ability to do a filter on a regex search of vmw_nsx_firewall_dst or any of the other NSX fields.
Content packs contain Extracted Field definitions. These are source-specific parser rules which interpret the content of a log message and generate new key=value fields.
* Want to use such fields to control Event Forwarding, such as forwarding all logs of a given type.
* Expect a performance penalty higher than source-provided static fields or vip-tagging.
* Expect fields to short-circuit evaluation based on Additional Context, possibly requiring static string comparison to avoid regex overhead.