fix: Added a couple of parsers in the enterprise version. (#2734)

cwadhwani-splunk · web-flow · commit 729f2cd3d15c · 2025-04-09T13:46:04.000+05:30
diff --git a/package/enterprise/etc/conf.d/conflib/netsource/app-netsource-netapp_ontap.conf b/package/enterprise/etc/conf.d/conflib/netsource/app-netsource-netapp_ontap.conf
@@ -34,6 +34,26 @@ block parser app-netsource-netapp_ontap() {
                     class('audit')
                 );
             };
+        } elif {
+            parser {
+                regexp-parser(
+                    prefix(".tmp.")
+                    patterns('\[(?<host>[^:]+):(?<category>[^:]+):(?<severity>[^\]]+)\]: (?<message>.*)')
+                    template("${MESSAGE}")
+                );
+            };
+            rewrite {
+                set('${.tmp.message}' value('MESSAGE'));
+                set('${.tmp.host}' value('HOST'));
+                set('${.tmp.category}' value('fields.category'));
+                set('${.tmp.severity}' value('fields.severity'));
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('netapp:ontap:ems')
+                    class('ems')
+                );
+            };
         } else {
             rewrite {
                 r_set_splunk_dest_update_v2(
@@ -46,10 +66,10 @@ block parser app-netsource-netapp_ontap() {
 };
 
 application app-netsource-netapp_ontap[sc4s-network-source] {
-	filter {
+    filter {
         match("netapp", value('.netsource.sc4s_vendor'), type(string))
         and match("ontap", value('.netsource.sc4s_product'), type(string))
         and "`SC4S_NETAPP_ONTAP_NEW_FORMAT`" eq "yes"
-    };	
+    };
     parser { app-netsource-netapp_ontap(); };
-};
+};
diff --git a/package/enterprise/etc/conf.d/conflib/syslog/app-syslog-vectra_json.conf b/package/enterprise/etc/conf.d/conflib/syslog/app-syslog-vectra_json.conf
@@ -0,0 +1,104 @@
+block parser app-syslog-vectra-json() {
+    channel {
+        parser {
+            regexp-parser(
+                prefix(".tmp.")
+                patterns('\"vectra_timestamp\"\:\s\"(?<timestamp>[^\"]+)\"')
+                template("$MESSAGE")
+            );
+            date-parser-nofilter(
+                format('%s')
+                template("${.tmp.timestamp}")
+            );
+        };
+
+        rewrite {
+            subst('\-\:\s',"",value("MESSAGE"));
+        };
+
+        rewrite {
+            r_set_splunk_dest_default(
+                index("main")
+                sourcetype('vectra:cognito:detect:json')
+                vendor("vectra")
+                product("cognito detect")
+                class('detect')
+                template("t_msg_only")
+            );
+        };
+
+        if (message('\"host_\w+\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:hostscoring:json')
+                    class('hostscoring')
+                    condition(message('\"HOST\sSCORING\"'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:hostdetect:json')
+                    class('hostdetect')
+                    condition(message('\"detection_id\"\:'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:hostlockdown:json')
+                    class('hostlockdown')
+                    condition(message('\"success\"\:'))
+                );
+            };
+        } elif (message('\"account_uid\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:accountscoring:json')
+                    class('accountscoring')
+                    condition(message('\"ACCOUNT\sSCORING\"'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:accountdetect:json')
+                    class('accountdetect')
+                    condition(message('\"detection_id\"\:'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:accountlockdown:json')
+                    class('accountlockdown')
+                    condition(message('\"success\"\:'))
+                );
+            };
+        } elif (message('\"campaign_id\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:campaigns:json')
+                    class('campaigns')
+                );
+            };
+        } elif (message('\"role\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:audit:json')
+                    class('audit')
+                );
+            };
+        } elif (message('\"type\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:health:json')
+                    class('health')
+                );
+            };
+        } else {};
+    };
+};
+
+application app-syslog-vectra-json[sc4s-syslog-pgm] {
+    filter {
+        program('vectra_json' type(string) flags(prefix));
+    };
+    parser { app-syslog-vectra-json(); };
+};
