Convert data in a specified event field to OCSF format
Use the to_ocsf SPL2 function in an Edge Processor pipeline to convert data from a raw text format to the Open Cybersecurity Schema Framework (OCSF) format.
If the data that you want to convert to OCSF format is not stored in an event field named _raw, or if you want to convert the data from the _raw field but store the results in a different field, then use the to_ocsf SPL2 evaluation function in your pipeline.
Unlike the ocsf command, the to_ocsf function cannot modify other fields in your data such as sourcetype. To make sure that your data is associated with a source type that is supported by the OCSF-CIM Add-on for Splunk and Splunk Enterprise Security, you need to use an eval function to prefix the sourcetype values with ocsf:.
Example: Use the to_ocsf function to convert data
| log_messages_2 | sourcetype | 
|---|---|
| <166>Oct 06 2021 12:56:34 10.160.0.10 : %ASA-6-611101: User authentication succeeded: IP address: 10.160.39.123, Uname: admin | cisco:asa | 
import ocsf from /splunk.ingest.commands
$pipeline = | from $source 
| eval ocsf_formatted_data = to_ocsf(log_messages_2, sourcetype, true, true, true)
| eval sourcetype = "ocsf:" + sourcetype
| into $destination;
- 
                        Parses the data from the log_messages_2field based on the source type indicated in thesourcetypefield.
- 
                        Converts the data into OCSF format. 
- 
                        Includes the following additional information in the converted data:- 
                                    A raw_dataattribute containing a copy of the original data.
- 
                                    The severity,activity_name,type_name,category_name,class_name, andstatusattributes. These attributes provide descriptive labels for theseverity_id,activity_id,type_id,category_uid,class_uid, andstatus_idenum attributes.
- 
                                    The observablesarray, which summarizes the attributes that contain security observables.
 
- 
                                    
- 
                        Stores the converted data in a field named ocsf_formatted_data.
- 
                        Prefixes the values in the sourcetypefield withocsf:.
| ocsf_formatted_data | log_messages_2 | sourcetype | 
|---|---|---|
|  | <166>Oct 06 2021 12:56:34 10.160.0.10 : %ASA-6-611101: User authentication succeeded: IP address: 10.160.39.123, Uname: admin | ocsf:cisco:asa |