admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '89ac45cb63'
${ noResults }
Deploiement_Server/deployment-apps/Splunk_SA_CIM/default/data/models/Updates.json

419 lines
13 KiB
Raw Blame History

{
"modelName": "Updates",
"displayName": "Updates",
"description": "Updates Data Model",
"editable": false,
"objects": [
{
"comment": {
"tags": [
"update",
"status"
]
},
"objectName": "Updates",
"displayName": "Updates",
"parentName": "BaseEvent",
"fields": [
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_bunit",
"displayName": "dest_bunit",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_category",
"displayName": "dest_category",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_priority",
"displayName": "dest_priority",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.",
"ta_relevant": false
},
"fieldName": "dest_should_update",
"displayName": "dest_should_update",
"type": "boolean",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The device that detected the patch event, such as a patching or configuration management server. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name."
},
"fieldName": "dvc",
"displayName": "dvc",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The name of the patch package that was installed or attempted."
},
"fieldName": "file_name",
"displayName": "file_name",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The checksum of the patch package that was installed or attempted."
},
"fieldName": "file_hash",
"displayName": "file_hash",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The severity associated with the patch event.",
"expected_values": [
"critical",
"high",
"medium",
"low",
"informational"
]
},
"fieldName": "severity",
"displayName": "severity",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The numeric or vendor specific severity indicator corresponding to the event severity."
},
"fieldName": "severity_id",
"displayName": "severity_id",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.",
"ta_relevant": false
},
"fieldName": "tag",
"displayName": "tag",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
}
],
"calculations": [
{
"calculationID": "Updates_fillnull_dest",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The system that is affected by the patch change. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.",
"recommended": true
},
"fieldName": "dest",
"displayName": "dest",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(dest) OR dest=\"\",\"unknown\",dest)"
},
{
"calculationID": "Updates_fillnull_signature",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The name of the patch requirement detected on the client (the dest), such as MS08-067 or RHBA-2013:0739. Note: This is a string value. Use signature_id for numeric or non-human-readable indicators.",
"recommended": true
},
"fieldName": "signature",
"displayName": "signature",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
}
],
"expression": "case(isnotnull(signature) AND signature!=\"\",signature,isnotnull(signature_id) AND signature_id!=\"\" AND signature_id!=\"unknown\",signature_id,1=1,\"unknown\")"
},
{
"calculationID": "Updates_fillnull_signature_id",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The ID of the patch requirement detected on the client (the src). Note: Use signature for human-readable signature names.",
"recommended": true
},
"fieldName": "signature_id",
"displayName": "signature_id",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": true,
"hidden": false
}
],
"expression": "case(isnotnull(signature_id) AND signature_id!=\"\",signature_id,isnotnull(signature) AND signature!=\"\" AND signature!=\"unknown\",signature,1=1,\"unknown\")"
},
{
"calculationID": "Updates_fillnull_status",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "Indicates the status of a given patch requirement.",
"expected_values": [
"available",
"installed",
"invalid",
"restart required"
],
"recommended": true
},
"fieldName": "status",
"displayName": "status",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "if(isnull(status) OR status=\"\",\"unknown\",status)"
},
{
"calculationID": "Updates_vendor_product",
"calculationType": "Eval",
"outputFields": [
{
"comment": {
"description": "The vendor and product of the patch monitoring product, such as Lumension Patch Manager. This field can be automatically populated by vendor and product fields in your data.",
"recommended": true
},
"fieldName": "vendor_product",
"displayName": "vendor_product",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"expression": "case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype,1=1,\"unknown\")"
}
],
"constraints": [
{
"search": "(`cim_Updates_indexes`) tag=update tag=status"
}
],
"children": [
]
},
{
"comment": {
"tags": [
"update",
"status"
]
},
"objectName": "Available_Updates",
"displayName": "Available Updates",
"parentName": "Updates",
"fields": [
],
"calculations": [
],
"constraints": [
{
"search": "status=\"available\""
}
],
"children": [
]
},
{
"comment": {
"tags": [
"update",
"status"
]
},
"objectName": "Installed_Updates",
"displayName": "Installed Updates",
"parentName": "Updates",
"fields": [
],
"calculations": [
],
"constraints": [
{
"search": "status=\"installed\""
}
],
"children": [
]
},
{
"comment": {
"tags": [
"update",
"status"
]
},
"objectName": "Restart_Required_Updates",
"displayName": "Updates Requiring Restart",
"parentName": "Updates",
"fields": [
],
"calculations": [
],
"constraints": [
{
"search": "status=\"restart_required\""
}
],
"children": [
]
},
{
"comment": {
"tags": [
"update",
"error"
]
},
"objectName": "Update_Errors",
"displayName": "Update Errors",
"parentName": "BaseSearch",
"fields": [
{
"comment": {
"description": "The event timestamp expressed in Unix time.",
"ta_relevant": false
},
"fieldName": "_time",
"displayName": "_time",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The host associated with the search.",
"ta_relevant": false
},
"fieldName": "host",
"displayName": "host",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The source associated with the search.",
"ta_relevant": false
},
"fieldName": "source",
"displayName": "source",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
},
{
"comment": {
"description": "The source type associated with the search.",
"ta_relevant": false
},
"fieldName": "sourcetype",
"displayName": "sourcetype",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false
}
],
"calculations": [
],
"constraints": [
],
"baseSearch": "(`cim_Updates_indexes`) tag=update tag=error",
"children": [
]
}
]
}
Reference in new issue View Git Blame Copy Permalink