test

Pushed by: unknown_user
Timestamp: 2026-01-25T22:35:45.286452

apps/learned/default/README

@@ -0,0 +1,6 @@
+
+This directory contains automatically generated sourcetypes. 
+
+   * sourcetypes.conf -- document models of sourcetype classification.
+   * props.conf -- settings for each discovered sourcetype.
+

apps/learned/local/props.conf

@@ -0,0 +1,741 @@
+[first_install-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[audit_v-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[cloudgateway_untracked-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[supervisor-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-ipc_broker-stdout-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-spotlight-collector-stdout-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-spotlight-collector-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-edge-processor-config-stdout-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-cmp-orchestrator-stdout-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[spl2-orchestrator-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-cmp-orchestrator-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[language-server-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-identity-stdout-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[export_metrics-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-postgres-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-postgres-stdout-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-agent-manager-stdout-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-opamp-svc-stdout-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[splunk_instrumentation-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[supervisor-2]
+MAX_TIMESTAMP_LOOKAHEAD = 68
+SHOULD_LINEMERGE = False
+TIME_PREFIX = (?:.*?:){2}
+is_valid = True
+
+[sup-pkg-postgres-stdout-2]
+MAX_TIMESTAMP_LOOKAHEAD = 63
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[splunk_archiver-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[splunk_o11y_app-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-ipc_broker-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-identity-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-agent-manager-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[language-server-2]
+MAX_TIMESTAMP_LOOKAHEAD = 58
+SHOULD_LINEMERGE = False
+TIME_PREFIX = :
+is_valid = True
+
+[sup-pkg-edge-processor-config-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-opamp-svc-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-edge-processor-config-stdout-2]
+is_valid = True
+
+[sup-pkg-cmp-orchestrator-stdout-2]
+MAX_TIMESTAMP_LOOKAHEAD = 68
+TIME_PREFIX = (?:.*?:){2}
+is_valid = True
+
+[splunk_archiver-2]
+MAX_TIMESTAMP_LOOKAHEAD = 49
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-ipc_broker-stdout-2]
+MAX_TIMESTAMP_LOOKAHEAD = 68
+TIME_PREFIX = (?:.*?:){2}
+is_valid = True
+
+[sup-pkg-cmp-orchestrator-4]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+is_valid = True
+
+[sup-pkg-postgres-4]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-edge-processor-config-4]
+MAX_TIMESTAMP_LOOKAHEAD = 44
+is_valid = True
+
+[sup-pkg-opamp-svc-3]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-spotlight-collector-3]
+MAX_TIMESTAMP_LOOKAHEAD = 47
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-5]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-opamp-svc-4]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-6]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-7]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[apifilesave-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[gt_icon_collection-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-postgres-8]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[user_access_interface-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-postgres-9]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-10]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[mad_rest-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-postgres-11]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[unix_sc_rest-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[unixalertevents-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[unixalertsconfig-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[unixheadlines-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[unixsetup-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[unix_configured_handler-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[upgrader_package_delivery-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sup-pkg-postgres-12]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sa-itsi-ai-summarization-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[sa-itsi-at-recommendations-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[upgrader_package_delivery-2]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-13]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[splunk_instrumentation-2]
+MAX_TIMESTAMP_LOOKAHEAD = 44
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-14]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-15]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-16]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-17]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-18]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-19]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-20]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-21]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-22]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-23]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-24]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-25]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-26]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-27]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-28]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-spotlight-collector-4]
+MAX_TIMESTAMP_LOOKAHEAD = 47
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-29]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-30]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-31]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[sup-pkg-postgres-32]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[gt_icon_collection-2]
+MAX_TIMESTAMP_LOOKAHEAD = 44
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[splunk_secure_gateway_modular_input.log]
+MAX_TIMESTAMP_LOOKAHEAD = 44
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[itsi_untracked-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_apply_at_outliers-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_custom_threshold_window_overlaps_detector]
+MAX_TIMESTAMP_LOOKAHEAD = 48
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[itsi_age_kpi_alert_value_cache-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_backfill-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_content_pack_authorship]
+MAX_TIMESTAMP_LOOKAHEAD = 48
+is_valid = True
+
+[itsi_content_packs_itsicli-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_content_packs_itsimodels]
+MAX_TIMESTAMP_LOOKAHEAD = 44
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[itsi_csv_import]
+MAX_TIMESTAMP_LOOKAHEAD = 48
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[itsi_episode_summarization_cleanup-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_exported_episode_files_cleaner]
+MAX_TIMESTAMP_LOOKAHEAD = 48
+is_valid = True
+
+[itsi_hec_init-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_maintenance_calendar_retention-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_nats_certificates_auto_rotation-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_notable_event_actions_consumer_assigning-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_notable_event_hec_init-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_queue_consumer_size_checker-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_user_access_init-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_backfill_record_cleanup-backfill_cleanup-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_content_packs_itoa-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_content_packs_retrieve-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_content_packs_saved_search_status-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_command_change_rules_engine_process-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi-nats-server]
+MAX_TIMESTAMP_LOOKAHEAD = 56
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[itsi_content_packs_preview-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_content_packs_install-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_command_getservice-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[unix_installer-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_ai_summary_worker]
+MAX_TIMESTAMP_LOOKAHEAD = 73
+is_valid = True
+
+[itsi_command_batch_at-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_appserver.log-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_queue_re_init.log]
+MAX_TIMESTAMP_LOOKAHEAD = 44
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[itsi_license_checker.log-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_license_checker.log-2]
+MAX_TIMESTAMP_LOOKAHEAD = 44
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[itsi_nats_mod_input.log]
+MAX_TIMESTAMP_LOOKAHEAD = 48
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[itsi_command_health_monitor.log-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_command_set_severity_fields_v2.log-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_backup_restore-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[itsi_default_correlation_search_acl_loader.log]
+MAX_TIMESTAMP_LOOKAHEAD = 48
+is_valid = True
+
+[trackme_audit_events-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[trackme_state_events-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[trackme_handler_events-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[trackme_state_events-2]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[trackme_handler_events-2]
+MAX_TIMESTAMP_LOOKAHEAD = 40
+SHOULD_LINEMERGE = False
+is_valid = True
+
+[git_pusher-too_small]
+PREFIX_SOURCETYPE = True
+SHOULD_LINEMERGE = False
+is_valid = True
+maxDist = 9999
+
+[git_pusher_startup-too_small]
+PREFIX_SOURCETYPE = True
+is_valid = True
+maxDist = 9999
+
+[git_pusher-3]
+MAX_TIMESTAMP_LOOKAHEAD = 44
+is_valid = True
+
+[git_pusher_startup-2]
+MAX_TIMESTAMP_LOOKAHEAD = 44
+is_valid = True
+
+[mlspl.log]
+MAX_TIMESTAMP_LOOKAHEAD = 73
+is_valid = True
+
+[git_pusher-5]
+MAX_TIMESTAMP_LOOKAHEAD = 44
+is_valid = True

apps/learned/metadata/default.meta

@@ -0,0 +1,24 @@
+
+### export: eventtypes, savedsearches, transforms and props
+
+[eventtypes]
+access = read : [ * ], write : [ admin, power ]
+export = system
+
+[savedsearches]
+access = read : [ * ], write : [ admin, power ]
+export = system
+
+[transforms]
+access = read : [ * ], write : [ admin, power ]
+export = system
+
+[props]
+access = read : [ * ], write : [ admin, power ]
+export = system
+
+### VIEWSTATES: even normal users should be able to create shared viewstates
+
+[viewstates]
+access = read : [ * ], write : [ * ]
+