[setNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setError]
REGEX = ^[01]\d-[0-3]\d-20\d\d \d{2}:\d{2}:\d{2}.\d{3}\s+ERROR\s+
DEST_KEY = queue
FORMAT = indexQueue

[setAutoFinalize]
REGEX = Search auto-finalized after
DEST_KEY = queue
FORMAT = indexQueue

#Only include warning or error entries
[setWARNorERROR]
REGEX = ,(?:ERROR|WARN),
DEST_KEY = queue
FORMAT = indexQueue

[splunkadmins_macros]
#This config failed below with ERROR KVStoreLookup - KV Store output failed with err: The provided query was invalid. (Document may not contain '$' or '.' in keys.) message:
#Switching back to csv files for now
#collection = splunkadmins_macros
#external_type = kvstore
#fields_list = definition, eai:acl.app, title
batch_index_query = 0
case_sensitive_match = 1
collection = 
external_type = 
fields_list = 
filename = splunkadmins_macros.csv

[splunkadmins_userlist_indexinfo]
collection = splunkadmins_userlist_indexinfo
#external_type = kvstore
#fields_list = srchIndexesAllowed, srchIndexesDefault, user
filename = splunkadmins_userlist_indexinfo.csv

[splunkadmins_indexlist]
batch_index_query = 0
case_sensitive_match = 1
filename = splunkadmins_indexlist.csv

[splunkadmins_indexes_per_role]
batch_index_query = 0
case_sensitive_match = 1
filename = splunkadmins_indexes_per_role.csv

[splunkadmins_datamodels]
batch_index_query = 0
case_sensitive_match = 0
filename = splunkadmins_datamodels.csv

[splunkadmins_tags]
batch_index_query = 0
case_sensitive_match = 0
filename = splunkadmins_tags.csv

[splunkadmins_eventtypes]
batch_index_query = 0
case_sensitive_match = 0
filename = splunkadmins_eventtypes.csv

[splunkadmins_rmd5_to_savedsearchname]
batch_index_query = 0
case_sensitive_match = 0
filename = splunkadmins_rmd5_to_savedsearchname.csv

[splunkadmins_indexlist_by_cluster]
batch_index_query = 0
case_sensitive_match = 1
filename = splunkadmins_indexlist_by_cluster.csv

#Note that the lookup splunkadmins_hec_reply_code_lookup is based on https://github.com/redvelociraptor/gettingsmarter/blob/main/dashboards/hec_reply_codes.csv (previously https://docs.splunk.com/Documentation/Splunk/latest/Data/TroubleshootHTTPEventCollector) and this may change over time
[splunkadmins_hec_reply_code_lookup]
batch_index_query = 0
case_sensitive_match = 1
filename = splunkadmins_hec_reply_code_lookup.csv

[splunkadmins_lookupfile_owners]
batch_index_query = 0
case_sensitive_match = 1
filename = splunkadmins_lookupfile_owners.csv