[sandfly_search]
definition = index="*" sourcetype="sandfly:alarms"
iseval = 0

[sandfly_search_alarms]
definition = index="*" sourcetype="sandfly:alarms"
iseval = 0

[sandfly_search_all]
definition = index="*" sourcetype="sandfly:*"
iseval = 0

[sandfly_search_sshkeys]
definition = index="*" sourcetype="sandfly:ssh:keys"
iseval = 0

[sandfly_search_sandflies]
definition = index="*" sourcetype="sandfly:sandflies"
iseval = 0

[sandfly_search_ssh_hunter]
definition = index="*" sourcetype="sandfly:ssh:keys"
iseval = 0

[sandfly_search_hosts]
definition = index="*" sourcetype="sandfly:hosts"
iseval = 0

[sandfly_search_hosts_details]
definition = index="*" sourcetype="sandfly:hosts" event_type="host_details"
iseval = 0

[sandfly_search_hosts_summary]
definition = index="*" sourcetype="sandfly:hosts" event_type="host_summary"
iseval = 0

[sandfly_search_audit]
definition = index="*" sourcetype="sandfly:logs:audit"
iseval = 0

[sandfly_search_errors]
definition = index="*" sourcetype="sandfly:logs:error"
iseval = 0

[sandfly_search_errors_detailed]
definition = index="*" sourcetype="sandfly:logs:error" log_mode="detailed"
iseval = 0

[sandfly_search_errors_summary]
definition = index="*" sourcetype="sandfly:logs:error" log_mode="summary"
iseval = 0

[sandfly_search_whitelist]
definition = index="*" sourcetype="sandfly:whitelist"
iseval = 0

[sandfly_search_drift]
definition = index="*" sourcetype="sandfly:alarms" "data.status"=alert drift_result=true
iseval = 0

[sandfly_search_results_whitelisted]
definition = index="*" sourcetype="sandfly:alarms" "data.status"=pass whitelisted=true
iseval = 0