WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

Corrections and sourcetype definition #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nadidsky wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Corrections and sourcetype definition #4

nadidsky wants to merge 1 commit into from

Conversation

@nadidsky
Copy link

@nadidsky nadidsky commented Apr 21, 2023

This Pull request is risky since it changes the definition of the sourcetype (it adds a prefix).
The change does:

  1. Corrects the REGEX of assignment of sourcetype to take into account that should have a space between type and its values
  2. Corrects the sourcetype to have a oci: prefix in order to be able to classify properly the different sourcetypes.
    The reason is because oci delivers many types and not having a common prefix is not really according to the recomendation of splunk of keeping the vendor and product in front of the sourcetype. In this case we dont add the vendor but could have been a solution
  3. Creates an assignment of host dinamically by the instanceid of the event
  4. Defines a proper TIME_FORMAT instead of relying in the default
  5. Adds the call the transforms that reassigns also the host

@nadidsky
Breaking change:
6cb0887 
1) Corrected time extraction to have TIME_FORMAT defined
2) Corrected host definition based on the instanceid field
3) Corrected sourcetype to have a fix prefix, OCI type delivers many type
4) Corrected REGEX of oci_sourcetype to take into account events actually have a space between the type and its value
5) Added some examples in the files to easier mainteannce
@vrich-100
Copy link
Collaborator

vrich-100 commented Apr 21, 2023

Thank you for the recommendations. Right now, there are in-sequence dependencies between the addon, here and the app (https://splunkbase.splunk.com/app/5289) that would need to be evaluated/changed to integrate these changes. Until then, we're going to wait on this pull request. But all points are valid and will be tested.

@nadidsky
Copy link
Author

nadidsky commented Apr 21, 2023 via email

@nadidsky
Copy link
Author

nadidsky commented Apr 25, 2023
edited
Loading

HI Vivian,

I've checked the app, https://splunkbase.splunk.com/app/5289. As of today the published version does not do much of use of the sourcetype, these are the files I have identified that should require a change:

./props.conf
./data/ui/views/oci_function_logs.xml

On oci_function_logs.xml there are several reference to sourcetype=SOMETHING. These should be appended with "oci:" to make it compatible. In props.conf the inclusion of the following should do the magic:
`
[oci:com.oraclecloud.vcn.flowlogs.DataEvent]

FIELDALIAS-oci_vcn_src_and_dest = "data.destinationAddress" ASNEW dest "data.destinationPort" ASNEW dest_port "data.sourceAddress" ASNEW src "data.sourcePort" ASNEW src_port destinationAddress ASNEW dest sourceAddress ASNEW src
`
I have created a version of the app in https://github.com/nadidsky/splunk_app_oci/tree/changes_for_oci_sourcetype_prefix (note I have removed the lookups, be aware of that on merging), there I have published what would seems the changes needed in the app.

I am really happy somebody is maintaining this apps

Thanks for reviewing and maintaining both!
Joan

@vrich-100
Copy link
Collaborator

vrich-100 commented May 11, 2023

For sure! The key is in the macros and saved searches. We're working on an update shortly and then I'll try to get the app in the splunk repository.

@ajdurr
Copy link

ajdurr commented Jun 7, 2024

Is there any update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nadidsky @vrich-100 @ajdurr