Deploiement_Server/deployment-apps/Splunk_SA_CIM/default/props.conf

###### Common Action Model Properties ######
[source::..._mod(alert|workflow).log]
TRANSFORMS-force_index-sourcetype_for_modactions = force_index_cim_modactions,force_sourcetype_cim_modactions

[source::...modaction_adhoc_rest_handler.log]
sourcetype = modaction:adhoc_rest_handler

[source::...modaction_invocations_rest_handler.log]
sourcetype = modaction:invocations_rest_handler

[source::...modaction_queue_handler.log]
sourcetype = modaction:queue_handler

[source::...relaymodaction.log]
sourcetype = relaymodaction

[stash_common_action_model]
TRUNCATE                = 0
# only look for ***SPLUNK*** on the first line
HEADER_MODE             = firstline
# we can summary index past data, but rarely future data
MAX_DAYS_HENCE          = 2
MAX_DAYS_AGO            = 10000
# 5 years difference between two events
MAX_DIFF_SECS_AGO       = 155520000
MAX_DIFF_SECS_HENCE     = 155520000
TIME_PREFIX             = (?m)^\*{3}Common\sAction\sModel\*{3}.*$
MAX_TIMESTAMP_LOOKAHEAD = 25
LEARN_MODEL             = false
# break .stash_new custom format into events
SHOULD_LINEMERGE        = false
BREAK_ONLY_BEFORE_DATE  = false
LINE_BREAKER            = (\r?\n==##~~##~~  1E8N3D4E6V5E7N2T9 ~~##~~##==\r?\n)

TRANSFORMS-0parse_cam_header    = orig_action_name_for_stash_cam,orig_sid_for_stash_cam,orig_rid_for_stash_cam,sourcetype_for_stash_cam
TRANSFORMS-1sinkhole_cam_header = sinkhole_cam_header

###### Data Model Properties ######
[source::...datamodelsimple.log]
sourcetype = datamodelsimple

###### Splunk Internal Properties ######
[audittrail]

EVAL-action = case(match(_raw,"action\=login\sattempt") AND match(_raw,"info\=succeeded"),"success",match(_raw,"action\=login\sattempt") AND match(_raw,"info\=failed"),"failure",match(_raw,"action\=add"),"created",match(_raw,"action\=delete"),"deleted",match(_raw,"action\=update"),"modified",1=1,action)
EVAL-app = if(match(_raw,"action\=login\sattempt"),"splunk",app)

FIELDALIAS-dest_for_splunk_access = host as dest

## eventtype: splunk_endpoint_change
## Required fields: action,dest,object,object_category,status,user
REPORT-1vendor_object_category-vendor_status_for_splunk_endpoint_change = vendor_object_category-vendor_status-for_splunk_endpoint_change
REPORT-2vendor_object-vendor_object_path_for_splunk_endpoint_change = vendor_object-vendor_object_path-for_splunk_endpoint_change
EVAL-vendor_status = if(isdir==0 OR isdir==1, "success", vendor_status)
# CIM-940: map hash to file_hash
EVAL-file_hash=if(isnull(file_hash),hash,file_hash)

LOOKUP-object_category_for_splunk_access = splunk_object_category_lookup vendor_object_category OUTPUT object_category
LOOKUP-src_for_splunk_access = splunk_src_lookup app OUTPUTNEW src

FIELDALIAS-object_for_splunk_endpoint_change = vendor_object as object
FIELDALIAS-object_path_for_splunk_endpoint_change = vendor_object_path as object_path
FIELDALIAS-object_attrs_for_splunk_endpoint_change = chgs as object_attrs
# CIM-680: alias uid->user_id
FIELDALIAS-user_id_for_splunk_endpoint_change = uid as user_id
# CIM-680: calculate user based on user_id if user is weak
EVAL-user = if(isnull(user) OR user="n/a" OR user="",user_id,user)
FIELDALIAS-status_for_splunk_endpoint_change = vendor_status as status

# Field aliases for conformance to Change_Analysis::Filesystem_Changes object
FIELDALIAS-file_acl_for_splunk_filesystem_change = mode as file_acl
FIELDALIAS-file_size_for_splunk_filesystem_change = size as file_size
EVAL-file_modify_time = strptime(modtime, "%a %b %d %H:%M:%S %Y")
FIELDALIAS-file_name_for_splunk_filesystem_change = vendor_object as file_name
FIELDALIAS-file_path_for_splunk_filesystem_change = vendor_object_path as file_path

REPORT-search_for_audittrail = search_for_audittrail

[splunkd]
REPORT-signature_for_sendmodalert = signature_for_sendmodalert

[splunk_web_access]
REPORT-app-view_for_splunk_web_access = app-view_for_splunk_web_access