#### Default replacement for all csv logs
[perfmon-.*\.csv]
index=perfmon
sampletype = csv
timeMultiple = 2
## replace timestamp 09/09/2010 23:36:32.0128
token.0.token = ^(\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S

# Perfmon Collection
[perfmon-Processor.csv]
backfill = -15m
backfillSearch = index=perfmon sourcetype=Perfmon:Processor
source = Perfmon:Processor
sourcetype = Perfmon:Processor

[perfmon-Memory.csv]
backfill = -15m
backfillSearch = index=perfmon sourcetype=Perfmon:Memory
source = Perfmon:Memory
sourcetype = Perfmon:Memory

[perfmon-Network_Interface.csv]
backfill = -15m
backfillSearch = index=perfmon sourcetype=Perfmon:Network_Interface
source = Perfmon:Network_Interface
sourcetype = Perfmon:Network_Interface

## TODO
#[perfmon://DFS_Replicated_Folders]
#object = DFS Replicated Folders
#counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
#index=perfmon

[perfmon-NTDS.csv]
backfill = -15m
backfillSearch = index=perfmon sourcetype=Perfmon:NTDS
source = Perfmon:NTDS
sourcetype = Perfmon:NTDS

# TODO
#[admon://NearestDC]
#[sourcetype-ActiveDirectory.csv]
#sampletype = csv
#timeMultiple = 2
#backfill = -15m
#backfillSearch = index=msad sourcetype=ActiveDirectory
#index = msad
#source = ActiveDirectory
#sourcetype = ActiveDirectory
## replace timestamp 09/09/2010 23:36:32.0128
#token.0.token = ^(\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
#token.0.replacementType = timestamp
#token.0.replacement = %m/%d/%Y %H:%M:%S

## TODO
#[monitor://C:\Windows\debug\netlogon.log]
#sourcetype=MSAD:NT6:Netlogon
#index=msad

## Windows 2012 R2
[WinEventLog-DFS-Replication.csv]
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=wineventlog sourcetype=WinEventLog:DFS-Replication
index=wineventlog
source = WinEventLog:DFS Replication
sourcetype = WinEventLog:DFS-Replication
## replace timestamp 03/11/10 01:12:01 PM
token.0.token = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %I:%M:%S %p

[WinEventLog-Directory-Service.csv]
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=wineventlog sourcetype=Directory-Service
index=wineventlog
source = WinEventLog:Directory Service
sourcetype = WinEventLog:Directory-Service
## replace timestamp 03/11/10 01:12:01 PM
token.0.token = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %I:%M:%S %p

## TODO for Win2k3
#[WinEventLog-File-Replication-Service.csv]
#sampletype = csv
#timeMultiple = 2
#backfill = -15m
#backfillSearch = index=wineventlog sourcetype=WinEventLog:File-Replication-Service
#index=wineventlog
#source = WinEventLog:File Replication Service
#sourcetype = WinEventLog:File-Replication-Service
#token.1.token = \d{2}.\d{2}.\d{4} \d{2}.\d{2}.\d{2}.\d{3}
#token.1.replacementType = timestamp
#token.1.replacement = %Y-%m-%d %H:%M:%S

## TODO generate events to capture
#[WinEventLog-Key-Management-Service.csv]
#sampletype = csv
#timeMultiple = 2
#backfill = -15m
#backfillSearch = index=wineventlog sourcetype=WinEventLog:Key-Management-Service
#index=wineventlog
#source = WinEventLog:Key Management Service
#sourcetype = WinEventLog:Key-Management-Service
#token.1.token = \d{2}.\d{2}.\d{4} \d{2}.\d{2}.\d{2}.\d{3}
#token.1.replacementType = timestamp
#token.1.replacement = %Y-%m-%d %H:%M:%S

## TODO 
#[MSAD-NT6-ad-repl-stat.sample]
#timeMultiple = 1
#backfill = -15m
#backfillSearch = index=msad sourcetype=MSAD:NT6:Replication
#index = msad
#source = Powershell
#sourcetype = MSAD:NT6:Replication
#token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
#token.0.replacementType = timestamp
#token.0.replacement = %Y-%m-%d %H:%M:%S,%f
#token.1.token = \d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}.\d{3}
#token.1.replacementType = timestamp
#token.1.replacement = %m-%d-%Y %H:%M:%S.%f
#token.2.token = \d{2}/\w{3}/\d{4}:\d{2}:\d{2}\:\d{2}.\d{3}
#token.2.replacementType = timestamp
#token.2.replacement = %d/%b/%Y:%H:%M:%S.%f
#token.3.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
#token.3.replacementType = timestamp
#token.3.replacement = %Y-%m-%d %H:%M:%S

#### Default replacement for all sample logs
[.*\.sample]
index = msad
source = Powershell
token.0.token =  \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}-\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S

#[script://.\bin\runpowershell.cmd ad-health.ps1]
[MSAD-NT6-Health.sample]
timeMultiple = 1
backfill = -15m
backfillSearch = index=msad sourcetype=MSAD:NT6:Health
sourcetype = MSAD:NT6:Health

#[script://.\bin\runpowershell.cmd siteinfo.ps1]
[MSAD-NT6-SiteInfo.sample]
timeMultiple = 1
backfill = -15m
backfillSearch = index=msad sourcetype=MSAD:NT6:SiteInfo
sourcetype = MSAD:NT6:SiteInfo