Version 1.2.55

- Feature: Provides a new split by custom mode to allow defining a custom indexed field in the data source discovery and maintenance workflow - Feature: Notification bar and various UI improvements in the configuration UI
guilhemmarchand · Oct 27, 2021 · 097b7ca · 097b7ca
1 parent ca6e8b2
commit 097b7ca
Show file tree

Hide file tree

Showing 6 changed files with 163 additions and 60 deletions.
diff --git a/docs/configuration.rst b/docs/configuration.rst
@@ -130,10 +130,11 @@ TrackMe Data Sources - Define what works for you
 
 The primary concept of TrackMe is called **data sources**, See :ref:`Data Sources tracking and features` in the User guide for more explanations.
 
-For the purposes of defining the best strategy that works for you, let's explain the 3 modes available, which you can configure via the ``Trackme manage and configure`` interface:
+For the purposes of defining the best strategy that works for you, let's explain the different modes available, which you can configure via the ``Trackme manage and configure`` interface:
 
 - Split mode (default)
-- Merge mode
+- Split custom mode
+- Merged mode
 - Cribl mode
 
 .. image:: img/step_by_step_configure/ui_data_sources_mode.png
@@ -162,10 +163,23 @@ On the other hand, would we index these 3 WinEventLogs into a unique index, we w
 
 Don't worry, TrackMe has plenty of features that allow you to cover any use cases (Elastic Sources, allow and block listing, etc), the Split mode is generally what covers most use cases, but this is very depending to your context.
 
+Trackme Data Sources - split custom mode
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The Split custom mode allows you to define an additional indexed field to be used when discovering and maintaining the data sources.
+
+Once you define the indexed field, entities are going to be created as following:
+
+``index + ":" + sourcetype + "|<keyName>:<keyValue>``
+
+Where ``keyName`` is the name of the indexed field, ``keyValue`` the value.
+
+.. hint:: Once enabled, any data source that does not include the indexed field will not be discovered any longer, you can handle any additional use cases as :ref:`Elastic Sources` or create custom trackers in hybrid mode.
+
 Trackme Data Sources - Merged mode
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-On the opposite, the Merged mode removes the concept of sourcetype and basically creates 1 entity per index, no matters what sourcetypes are indexed in it, entities are created as:
+The Merged mode removes the concept of sourcetype and basically creates 1 entity per index, no matters what sourcetypes are indexed in it, entities are created as:
 
 ``index + ":all"``
 

diff --git a/docs/img/step_by_step_configure/ui_data_sources_mode.png b/docs/img/step_by_step_configure/ui_data_sources_mode.png
diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst
@@ -10,6 +10,8 @@ Version 1.2.55
     - Some functions such as builtin alert actions are not compatible any longer with Python2 and Splunk 7.x
     - For the latest version available for Splunk 7.x, see the release 1.2.51
 
+- Feature: Provides a new split by custom mode to allow defining a custom indexed field in the data source discovery and maintenance workflow
+- Feature: Notification bar and various UI improvements in the configuration UI
 
 Version 1.2.54
 ==============

diff --git a/package/default/data/ui/html/TrackMe.html b/package/default/data/ui/html/TrackMe.html
@@ -19667,11 +19667,12 @@ <h2 class="panel-title">Click on a table row to access object contextual actions
 
                     }
 
-                    // split by source mode
-                    else if (/\|s:/i.test(tk_data_name)) {
-                        regex_matches = tk_data_name.match(/\|s:(.*)/);
-                        sourceValue = regex_matches[1];
-                        tk_data_source_overview_root_search = "| `trackme_tstats` dc(host) as dcount_host count latest(_indextime) as indextime max(_time) as maxtime where index=\"" + tk_data_index + "\" sourcetype=\"" + tk_data_sourcetype + "\" source=\"" + sourceValue + "\" `trackme_tstats_main_filter` by _time, index, sourcetype, source span=1s | eval delta=(indextime-_time), event_lag=(now() - maxtime)";
+                    // split by custom mode
+                    else if (/\|key:/i.test(tk_data_name)) {
+                        regex_matches = tk_data_name.match(/\|key:([^\|]+)\|(.*)/);
+                        keyName = regex_matches[1];
+                        keyValue = regex_matches[2];
+                        tk_data_source_overview_root_search = "| `trackme_tstats` dc(host) as dcount_host count latest(_indextime) as indextime max(_time) as maxtime where index=\"" + tk_data_index + "\" sourcetype=\"" + tk_data_sourcetype + "\" " + keyName + "=\"" + keyValue + "\" `trackme_tstats_main_filter` by _time, index, sourcetype, source span=1s | eval delta=(indextime-_time), event_lag=(now() - maxtime)";
                         tk_data_source_raw_search = "null";
                         setToken("tk_data_source_timechart_count_aggreg", TokenUtils.replaceTokenNames("sum", _.extend(submittedTokenModel.toJSON(), e.data)));
                     }
@@ -19793,12 +19794,15 @@ <h2 class="panel-title">Click on a table row to access object contextual actions
                     if (/\|cribl:/i.test(tk_data_name)) {
                         var search_data_source = 'search' + "?q=search%20index%3D\"" + encodeURI(tk_data_index) + "\"" + " sourcetype%3D\"" + encodeURI(tk_data_sourcetype) + "\"" + " cribl_pipe::" + encodeURI(cribl_pipe)
                     }
-                    // split by source
-                    else if (/\|s:/i.test(tk_data_name)) {
-                        regex_matches = tk_data_name.match(/\|s:(.*)/);
-                        sourceValue = regex_matches[1];
-                        var search_data_source = 'search' + "?q=search%20index%3D\"" + encodeURI(tk_data_index) + "\"" + " sourcetype%3D\"" + encodeURI(tk_data_sourcetype) + "\"" + " source%3D\"" + encodeURI(sourceValue) + "\""
+
+                    // split by custom
+                    else if (/\|key:/i.test(tk_data_name)) {
+                        regex_matches = tk_data_name.match(/\|key:([^\|]+)\|(.*)/);
+                        keyName = regex_matches[1];
+                        keyValue = regex_matches[2];
+                        var search_data_source = 'search' + "?q=search%20index%3D\"" + encodeURI(tk_data_index) + "\"" + " sourcetype%3D\"" + encodeURI(tk_data_sourcetype) + "\" " + keyName + "%3D\"" + encodeURI(keyValue) + "\""
                     }
+
                     // standard split
                     else {
                         var search_data_source = 'search' + "?q=search%20index%3D\"" + encodeURI(tk_data_index) + "\"" + " sourcetype%3D\"" + encodeURI(tk_data_sourcetype) + "\""