search

Data Transformations

Scanner can transform your logs during ingestion. Below are the types of transformations you can configure for your Index Rules.

Note that all data added by transformations will count against your ingestion volume.

hashtag
Normalize to ECS (Elastic Common Schema)

Add normalized ECS (Elastic Common Schema) fields to the log events.

hashtag
Parameters

  • Log Source: One of the 12 log sources for which Scanner provides out-of-the-box normalization.

hashtag
Example

// Parameters
// Log source: "CloudTrail"

// Input log event
{
    "eventName": "CreateBucket",
    "awsRegion": "us-east-1",
    "recipientAccountId": "123456789012",
    "eventSource": "s3.amazonaws.com",
    "requestID": "request-1234567890",
    "sourceIPAddress": "192.168.1.1",
    "userAgent": "aws-cli/2.2.0 Python/3.8.10",
    "userIdentity": {
        "arn": "arn:aws:iam::123456789012:user/john.doe",
        "userName": "john.doe",
        "type": "IAMUser"
    },
}

// Output log event
{
    // Normalized fields are added under a new `@ecs` object
    "@ecs": {
        "event": { "action": "CreateBucket", "outcome": "success" },
        "cloud": {
            "provider": "aws",
            "region": "us-east-1",
            "account": { "id": "123456789012" },
            "service": { "name": "s3.amazonaws.com" },
        },
        "http": { "request_id": "request-1234567890" },
        "source": { "ip": "192.168.1.1" },
        "user_agent": "aws-cli/2.2.0 Python/3.8.10",
        "user": { "id": "arn:aws:iam::123456789012:user/john.doe", "name": "john.doe" },
    },
    // Existing fields are still included and unchanged
    "eventName": "CreateBucket",
    "awsRegion": "us-east-1",
    "recipientAccountId": "123456789012",
    "eventSource": "s3.amazonaws.com",
    "requestID": "request-1234567890",
    "sourceIPAddress": "192.168.1.1",
    "userAgent": "aws-cli/2.2.0 Python/3.8.10",
    "userIdentity": {
        "arn": "arn:aws:iam::123456789012:user/john.doe",
        "userName": "john.doe",
        "type": "IAMUser"
    },
}

hashtag
Extract by Regex

Extract values from a specified column using a regex and add them as new columns.

hashtag
Parameters

  • Extract from column: The existing column to extract from.

  • Regex:

    • The regex pattern to apply to the column value. Must have at least one named capture groups.

    • The name of the captured group will be used in the new column names.

hashtag
Example

hashtag
Extract Timestamp

Every log event in Scanner must have a timestamp. This transformation allows users to specify the column from which to extract the timestamp. Must have at least one per Index Rule.

hashtag
Supported Timestamp Formats

Scanner supports various timestamp formats, including:

  • RFC 2822

  • RFC 3339

  • Unix epoch timestamp (seconds/milliseconds/microseconds/nanoseconds since epoch)

The best way to check if timestamps are extracted correctly is to use the preview tool. A warning will appear if Scanner failed to extract the timestamps from the specified columns.

hashtag
Fallbacks

You may specify additional "Extract Timestamp" steps as fallbacks. This is useful if the logs from the same source are heterogenous (i.e. they don't all have the same timestamp field).

If all fails (e.g. none of the columns specified are present), Scanner will make a best guess based on:

  • The timestamp of preceding log events in the same file, or

  • The S3 file's "last modified" timestamp.

hashtag
Parameters

  • Extract from column: The timestamp column, or the column from which it will be extracted.

  • Regex (optional):

    • If the timestamp needs to be extracted from a string column (e.g. a "message" column), the regex is used to extract the value.

    • Must have exactly one capture group for the timestamp value.

    • Not needed if the column value contains just the timestamp.

    • Does not apply if the column value is not a string.

hashtag
Example

hashtag
Parse JSON Columns

Parses all stringified JSON objects or arrays, so the structure is reflected and indexed in Scanner.

hashtag
Example

hashtag
Parse Key-Value Columns

Parses all "key=value" pairs from all string columns.

Note that there isn't a single widely adopted standard for key-value pairs. If the Scanner implementation does not parse your logs correctly (or is too noisy), you should use the "Extract by Regex" transformation instead.

hashtag
Example

hashtag
Unroll Array

Transform one log event into multiple by unrolling an array column. Useful when the actual events are wrapped in an array in one object.

All fields other than the "unroll column" will be duplicated for each log event.

hashtag
Parameters

  • Unroll column: The column to be unrolled.

hashtag
Example

hashtag
Enrich with AlienVault OTX

Enriches log events with threat intelligence data from AlienVault Open Threat Exchange (OTX). This transformation matches log fields (IPs, domains, URLs, email addresses, file hashes) against threat indicators and appends threat metadata to matching events.

Note: This transformation requires setting up an AlienVault OTX integration and creating a synced lookup table first.

For detailed information about parameters, output structure, and examples, see Threat Intelligence.

PreviousData Transformation & EnrichmentNextCustom VRL

Last updated

Was this helpful?