From 610169bd7772dde81a0ce485845c38788aec03d3 Mon Sep 17 00:00:00 2001
From: jwindley-splunk <jwindley@splunk.com>
Date: Tue, 14 Jan 2020 20:37:54 +0000
Subject: [PATCH] Update props.conf

Improvements to field extractions
---
 default/props.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/default/props.conf b/default/props.conf
index 45c1717..05a0b1a 100644
--- a/default/props.conf
+++ b/default/props.conf
@@ -70,7 +70,7 @@ FIELDALIAS-file_create_time = columns.ctime as file_create_time
 FIELDALIAS-file_size = columns.size as file_size
 FIELDALIAS-file_acl = columns.mode as file_acl
 FIELDALIAS-action = columns.action as action
-EVAL-file_hash=if((name="pack_fim_file_events" AND (action="CREATED" OR action="UPDATED") AND ('columns.sha256'!="")),'columns.sha256',null)
+EVAL-file_hash=if((name="*file_events" AND (action="CREATED" OR action="UPDATED") AND ('columns.sha256'!="")),'columns.sha256',null)
 EVAL-file_name = replace(file_path, "^.*[\\/]", "")
 
 ### For Alerts
@@ -86,3 +86,4 @@ EXTRACT-process_exec = .*path\":\"\\\/(.+?\/)*(?<process_exec>.+?)\"
 FIELDALIAS-process_id = columns.pid AS process_id
 FIELDALIAS-process_path = columns.path AS process_path
 FIELDALIAS-user_id = columns.uid AS user_id
+FIELDALIAS-process = column.cmdline AS process