admingit
/
SH-Deployer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '69f31f9c90'
${ noResults }
SH-Deployer/apps/SplunkAdmins/default/transforms.conf

86 lines
2.4 KiB
Raw Blame History

[setNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setError]
REGEX = ^[01]\d-[0-3]\d-20\d\d \d{2}:\d{2}:\d{2}.\d{3}\s+ERROR\s+
DEST_KEY = queue
FORMAT = indexQueue
[setAutoFinalize]
REGEX = Search auto-finalized after
DEST_KEY = queue
FORMAT = indexQueue
#Only include warning or error entries
[setWARNorERROR]
REGEX = ,(?:ERROR|WARN),
DEST_KEY = queue
FORMAT = indexQueue
[splunkadmins_macros]
#This config failed below with ERROR KVStoreLookup - KV Store output failed with err: The provided query was invalid. (Document may not contain '$' or '.' in keys.) message:
#Switching back to csv files for now
#collection = splunkadmins_macros
#external_type = kvstore
#fields_list = definition, eai:acl.app, title
batch_index_query = 0
case_sensitive_match = 1
collection =
external_type =
fields_list =
filename = splunkadmins_macros.csv
[splunkadmins_userlist_indexinfo]
collection = splunkadmins_userlist_indexinfo
#external_type = kvstore
#fields_list = srchIndexesAllowed, srchIndexesDefault, user
filename = splunkadmins_userlist_indexinfo.csv
[splunkadmins_indexlist]
batch_index_query = 0
case_sensitive_match = 1
filename = splunkadmins_indexlist.csv
[splunkadmins_indexes_per_role]
batch_index_query = 0
case_sensitive_match = 1
filename = splunkadmins_indexes_per_role.csv
[splunkadmins_datamodels]
batch_index_query = 0
case_sensitive_match = 0
filename = splunkadmins_datamodels.csv
[splunkadmins_tags]
batch_index_query = 0
case_sensitive_match = 0
filename = splunkadmins_tags.csv
[splunkadmins_eventtypes]
batch_index_query = 0
case_sensitive_match = 0
filename = splunkadmins_eventtypes.csv
[splunkadmins_rmd5_to_savedsearchname]
batch_index_query = 0
case_sensitive_match = 0
filename = splunkadmins_rmd5_to_savedsearchname.csv
[splunkadmins_indexlist_by_cluster]
batch_index_query = 0
case_sensitive_match = 1
filename = splunkadmins_indexlist_by_cluster.csv
#Note that the lookup splunkadmins_hec_reply_code_lookup is based on https://github.com/redvelociraptor/gettingsmarter/blob/main/dashboards/hec_reply_codes.csv (previously https://docs.splunk.com/Documentation/Splunk/latest/Data/TroubleshootHTTPEventCollector) and this may change over time
[splunkadmins_hec_reply_code_lookup]
batch_index_query = 0
case_sensitive_match = 1
filename = splunkadmins_hec_reply_code_lookup.csv
[splunkadmins_lookupfile_owners]
batch_index_query = 0
case_sensitive_match = 1
filename = splunkadmins_lookupfile_owners.csv
Reference in new issue View Git Blame Copy Permalink