I currently have a custom sourcetype=vuln_scan that looks like this:
response_datetime="2014-01-24 06:41:22" scan_date="2014-01-24 06:41:22" org_id=AB5X1896 scan_id=1H6785E host_id=522ZB769 ip=190.1.19.15 testid=2533 vuln_type="FTP servers" vuln_risk=8 vuln_name="HP/UX FTPd Negative REST Buffer Overflow" port=21 protocol=tcp results=
Our goal is to modify the automatic field extractions that occur due to the "=" sign with another field name. For instance ip=190.1.9.15 is automatically extracted giving us a field name "ip" with a value of "190.1.9.15". We would like to map to the common information model (CIM) using the field name "dest" instead of "ip" at index time, not at search time. How would we go about reaching this objective?