TerribleDev/TimberWinR
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

md

Browse Source
This commit is contained in:
Eric Fontana
2014-07-29 14:00:42 -04:00
parent 71b2dee43c
commit caaea77686
4 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
TimberWinR/Parser.cs
View File

@@ -234,6 +234,7 @@ namespace TimberWinR.Parser
public WindowsEvent()
{
Source = "System";
StringsSep = "|";
FormatMsg = true;
FullText = true;

2
WindowsEvents.md
View File

@@ -6,7 +6,7 @@ The following parameters are allowed when configuring WindowsEvents.
| Parameter | Type | Description | Legal Values | Default |
| :---------------- |:---------------| :----------------------------------------------------------------------- | :--------------------------- | :-- |
| *source* | property:string |Windows event logs | Application,System,Security | |
| *source* | property:string |Windows event logs | Application,System,Security | System |
| *binaryFormat* | property:string |Format of the "Data" binary field. | ASC,HEX,PRINT | **ASC** |
| *msgErrorMode* | property:string |Behavior when event messages or event category names cannot be resolved. |NULL,ERROR,MSG | **MSG** |
| *direction* | property:string |Format of the "Data" binary field. | FW,BW | **FW** |

1
mdocs/DateFilter.md Normal file
View File

@@ -0,0 +1 @@
# Date Filter

16
mdocs/MutateFilter.md Normal file
View File

@@ -0,0 +1,16 @@
# Mutate Filter
The mutate filter allows you to perform general mutations on fields. You can rename, remove, replace and modify fields in your events. This filter will automatically be applied to all inputs before sending to the outputs. If you want to make a
filter conditional, use the ***condition*** property to specify a legal C# expression.
## Mutate Parameters
The following parameters are allowed when configuring WindowsEvents.
| Parameter | Type | Description
| :-----------|:----------------|:-----------------------------------------------------------------------
| *condition* | property:string |Windows event logs
|```Code goes here```
| *rename* | property:array |Rename one or more fields
| *replace* | property:string |Replace a field with a new value. The new value can include %{foo} strings to help you build a new value from other parts of the event.
| *split* | property:string |Separator between values of the "Strings" field.