transforms.conf

#Beats
[ta-windows-fix-beats-xml-source]
DEST_KEY = MetaData:Source
REGEX = \"channel\"\:\"([^\"]*)
FORMAT = source::XmlWinEventLog:$1

[beats_eventdata_xml_block]
REGEX = (?ms)\"event_data\":{(.*?\")}\,
FORMAT = EventData_Xml::$1


[beats_system_props_xml_attributes_Name]
#Provider Name
SOURCE_KEY = _raw
REGEX = (?ms)\"provider\_name\":\"([^\"]*)
FORMAT = Name::$1
MV_ADD = 1

[beats_system_props_xml_attributes_Guid]
#Provider Guid
SOURCE_KEY = _raw
REGEX = (?ms)\"provider\_guid\":\"([^\"]*)
FORMAT = Guid::$1
MV_ADD = 1

[beats_system_props_xml_attributes_SystemTime]
#System Time
SOURCE_KEY = _raw
REGEX = (?ms)\"@timestamp\":\"([^\"]*)
FORMAT = SystemTime::$1
MV_ADD = 1

[beats_system_props_xml_attributes_RawTime]
#RawTime
SOURCE_KEY = _raw
REGEX = (?ms)\"created\":\"([^\"]*)
FORMAT = RawTime::$1
MV_ADD = 1

[beats_system_props_xml_attributes_ActivityID]
#ActivityID
SOURCE_KEY = _raw
REGEX = (?ms)\"activity_id\":\"([^\"]*)
FORMAT = ActivityID::$1
MV_ADD = 1

[beats_system_props_xml_attributes_ProcessID]
#ProcessID 
SOURCE_KEY = _raw
REGEX = (?ms)\"process\":{\"thread\":{\"id\":\d*\}\,\"pid\"\:([^}]*)
FORMAT = ProcessID::$1
MV_ADD = 1

[beats_system_props_xml_attributes_ThreadID]
#ThreadID 
SOURCE_KEY = _raw
REGEX = (?ms)\"process\":{\"thread\":{\"id\":([^}]*)
FORMAT = ThreadID::$1
MV_ADD = 1

[beats_eventdata_xml_data]
#Beats
REGEX = \"([^\"]*)\"\:\"([^\"]*)
FORMAT = $1::$2
MV_ADD = 1

[EventID_as_EventCode_beats]
REGEX = \"event\_id\"\:(?:\")?([^\"}\,]*)
FORMAT = EventCode::$1

[EventRecordID_as_RecordNumber_beats]
REGEX = \"record\_(?:id|number)\"\:([^\,\}\"]*)
FORMAT = RecordNumber::$1