refactor: Adopt consistent structure for vars (#1409)

Continue cleanup for v2, Refactor variables to use .tmp. for vars that do not need to be retained. Use .values. for values to be used after parser
splunk · Jan 30, 2022 · b154557 · b154557
1 parent b1a2aed
commit b154557
Show file tree

Hide file tree

Showing 19 changed files with 245 additions and 249 deletions.
diff --git a/package/etc/conf.d/conflib/json/app-json-novell_netiq.conf b/package/etc/conf.d/conflib/json/app-json-novell_netiq.conf
@@ -5,7 +5,7 @@ block parser app-json-novell_netiq() {
                 r_set_splunk_dest_default(
                     vendor_product('novell_netiq'),
                     index('netauth'),
-                    source('novell:netiq:${.json.component}'),
+                    source('novell:netiq:${.values.component}'),
                     sourcetype('novell:netiq')                                    
                 );
         };
@@ -14,14 +14,14 @@ block parser app-json-novell_netiq() {
             date-parser-nofilter(format(
                         '%a, %d %b %Y %H:%M:%S %z',
                     )
-                template("${.json.timeStamp}")
+                template("${.values.timeStamp}")
             );
         };
     };   
 };
 application app-json-novell_netiq[json] {
 	filter{
-        "${.json.appName}" eq "Novell Access Manager";
+        "${.values.appName}" eq "Novell Access Manager";
     };
     parser { app-json-novell_netiq(); };   
 };
diff --git a/package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf b/package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf
@@ -3,9 +3,9 @@ block parser app-json-zscaler_lss() {
 
         if {
             filter {
-                match('.' value('.json.ClientZEN'))
-                and match('.' value('.json.AppGroup'))
-                and match('.' value('.json.Application'))
+                match('.' value('.values.ClientZEN'))
+                and match('.' value('.values.AppGroup'))
+                and match('.' value('.values.Application'))
             };
             rewrite {
                 r_set_splunk_dest_default(
@@ -16,9 +16,9 @@ block parser app-json-zscaler_lss() {
             };           
         } elif {
             filter {
-                match('.' value('.json.Exporter'))
-                and match('.' value('.json.Customer'))
-                and match('.' value('.json.ConnectionID'))
+                match('.' value('.values.Exporter'))
+                and match('.' value('.values.Customer'))
+                and match('.' value('.values.ConnectionID'))
             };
             rewrite {
                 r_set_splunk_dest_default(
@@ -29,9 +29,9 @@ block parser app-json-zscaler_lss() {
             };                       
         } elif {
             filter {
-                match('.' value('.json.Connector'))
-                and match('.' value('.json.Customer'))
-                and match('.' value('.json.ConnectorGroup'))
+                match('.' value('.values.Connector'))
+                and match('.' value('.values.Customer'))
+                and match('.' value('.values.ConnectorGroup'))
             };
             rewrite {
                 r_set_splunk_dest_default(
@@ -42,8 +42,8 @@ block parser app-json-zscaler_lss() {
             };                       
         } elif {
             filter {
-                match('.' value('.json.SAMLAttributes'))
-                and match('.' value('.json.Customer'))
+                match('.' value('.values.SAMLAttributes'))
+                and match('.' value('.values.Customer'))
             };
             rewrite {
                 r_set_splunk_dest_default(
@@ -58,7 +58,7 @@ block parser app-json-zscaler_lss() {
             date-parser(
                 format('%a %b %d %H:%M:%S %Y',
                        '%a %b %d %k:%M:%S %Y')
-                template("${.json.LogTimestamp}")
+                template("${.values.LogTimestamp}")
                 flags(guess-timezone)
             );
         };

diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-dell_rsa_secureid.conf b/package/etc/conf.d/conflib/netsource/app-netsource-dell_rsa_secureid.conf
@@ -18,21 +18,16 @@ block parser app-netsource-dell_rsa_secureid() {
                 #we need to actual even time from the field GeneratedTime. Use csv-parser to extract it.
                 csv-parser(
                     columns("time","ms","host","type")
-                    prefix(".rsa.")
+                    prefix(".tmp.")
                     delimiters(',')
                     );
                 #2012/04/10 04:39:55
                 #parse the date
                 date-parser-nofilter(format(
                         '%Y-%m-%d %H:%M:%S,%f')
-                        template("${LEGACY_MSGHDR} ${.rsa.time},${.rsa.ms}")
+                        template("${LEGACY_MSGHDR} ${.tmp.time},${.tmp.ms}")
                 );
             };
-            # rewrite {
-            #     set("${.rsa.host}" value("HOST")
-            #     condition( match('^.' value('.rsa.host') )) );
-            #     subst('\..*$' , '' , value('HOST'));
-            # };
             rewrite {
                 r_set_splunk_dest_update(
                     sourcetype('rsa:securid:syslog')
@@ -41,19 +36,19 @@ block parser app-netsource-dell_rsa_secureid() {
             rewrite {
                 r_set_splunk_dest_update(
                     sourcetype('rsa:securid:admin:syslog')
-                    condition(match('audit\.admin' value('.rsa.type')))
+                    condition(match('audit\.admin' value('.tmp.type')))
                 );
             };
             rewrite {
                 r_set_splunk_dest_update(
                     sourcetype('rsa:securid:system:syslog')
-                    condition(match('system\.com\.rsa|,\s+system\.erationsconsole' value('.rsa.type')))
+                    condition(match('system\.com\.rsa|,\s+system\.erationsconsole' value('.tmp.type')))
                 );
             };
             rewrite {
                 r_set_splunk_dest_update(
                     sourcetype('rsa:securid:runtime:syslog')
-                    condition(match('audit\.runtime\.com\.rsa' value('.rsa.type')))
+                    condition(match('audit\.runtime\.com\.rsa' value('.tmp.type')))
                 );
             };            
         } elif {

diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-sophos_webappliance.conf b/package/etc/conf.d/conflib/netsource/app-netsource-sophos_webappliance.conf
@@ -11,11 +11,13 @@ block parser app-netsource-sophos_webappliance() {
             subst(' [^=]+=(?:"-"|-)', '' flags(global));
         };
         parser {
-            kv-parser(prefix(".swa.") pair-separator(" ") );
-
+            kv-parser(
+                prefix(".values.") 
+                pair-separator(" ")
+            );            
         };
         parser {
-            date-parser-nofilter(format("%s") template("${.swa.t}"));
+            date-parser-nofilter(format("%s") template("${.values.t}"));
         };
    };
 };

diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf
@@ -2,20 +2,20 @@
 parser p_acs_event_time_multi {
     csv-parser(
         columns(DATE, TIME, TZ)
-        prefix(".cisco.")
+        prefix(".tmp.")
         delimiters(chars(" "))
-        template('${.cisco.date_seg}')
+        template('${.tmp.date_seg}')
     );
 
     date-parser-nofilter(
             #YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm
             format('%Y-%m-%d %H:%M:%S.%f %z')
-            template("${.cisco.DATE} ${.cisco.TIME} ${.cisco.TZ}")
+            template("${.tmp.DATE} ${.tmp.TIME} ${.tmp.TZ}")
     );
 };
 
 template t_acs_message {
-        template("${PROGRAM} ${.cisco.serial} 1 0 ${.gb.message}");
+        template("${PROGRAM} ${.values.serial} 1 0 ${.gb.message}");
 };
 
 block parser app-postfilter-cisco_acs() {    
@@ -24,16 +24,16 @@ block parser app-postfilter-cisco_acs() {
         parser{
             grouping-by(
                 scope(program)
-                key("${.cisco.serial}")
-                trigger("$(context-length)" >= "${.cisco.num}")
-                sort-key("${.cisco.seq}")
+                key("${.values.serial}")
+                trigger("$(context-length)" >= "${.values.num}")
+                sort-key("${.values.seq}")
                 aggregate(
                     value(".gb.complete" "1")
-                    #value(".gb.message" "$(context-lookup ("1" eq "1" ) ${.cisco.message})")
-                    value(".gb.message" "$(implode '' $(list-slice 0:-1 $(context-values ${.cisco.message})))")
+                    #value(".gb.message" "$(context-lookup ("1" eq "1" ) ${.values.message})")
+                    value(".gb.message" "$(implode '' $(list-slice 0:-1 $(context-values ${.values.message})))")
                     value("PROGRAM" "${PROGRAM}@1")
-                    value(".cisco.serial" "${.cisco.serial}@1")
-                    value(".cisco.date_seg" "$(list-head $(context-values ${.cisco.message}))")
+                    value(".values.serial" "${.values.serial}@1")
+                    value(".tmp.date_seg" "$(list-head $(context-values ${.values.message}))")
                     value(".splunk.sc4s_template", "t_acs_message")
                     value("fields.sc4s_merge_count", "$(context-length)")
                     inherit-mode(context)
@@ -59,7 +59,7 @@ block parser app-postfilter-cisco_acs() {
 application app-postfilter-cisco_acs[sc4s-postfilter] {
 	filter { 
         program('CSCOacs' type(string) flags(prefix))
-        and "${.cisco.num}" ne "1";
+        and "${.values.num}" ne "1";
     };	
     parser { app-postfilter-cisco_acs(); };   
 };

diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf
@@ -2,20 +2,20 @@
 parser p_ise_event_time_multi {
     csv-parser(
         columns(DATE, TIME, TZ)
-        prefix(".cisco.")
+        prefix(".tmp.")
         delimiters(chars(" "))
         template('${.gb.date_seg}')
     );
 
     date-parser-nofilter(
             #YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm
             format('%Y-%m-%d %H:%M:%S.%f %z')
-            template("${.cisco.DATE} ${.cisco.TIME} ${.cisco.TZ}")
+            template("${.tmp.DATE} ${.tmp.TIME} ${.tmp.TZ}")
     );
 };
 
 template t_ise_message {
-        template("${PROGRAM} ${.cisco.serial} 1 0 ${.gb.message}");
+        template("${PROGRAM} ${.values.serial} 1 0 ${.gb.message}");
 };
 
 block parser app-postfilter-cisco_ise() {    
@@ -24,16 +24,15 @@ block parser app-postfilter-cisco_ise() {
         parser{
             grouping-by(
                 scope(program)
-                key("${.cisco.serial}")
-                trigger("$(context-length)" >= "${.cisco.num}")
-                sort-key("${.cisco.seq}")
+                key("${.values.serial}")
+                trigger("$(context-length)" >= "${.values.num}")
+                sort-key("${.values.seq}")
                 aggregate(
                     value(".gb.complete" "1")
-                    #value(".gb.message" "$(context-lookup ("1" eq "1" ) ${.cisco.message})")
-                    value(".gb.message" "$(implode '' $(list-slice 0:-1 $(context-values ${.cisco.message})))")
+                    value(".gb.message" "$(implode '' $(list-slice 0:-1 $(context-values ${.values.message})))")
                     value("PROGRAM" "${PROGRAM}@1")
-                    value(".cisco.serial" "${.cisco.serial}@1")
-                    value(".gb.date_seg" "$(list-head $(context-values ${.cisco.message}))")
+                    value(".values.serial" "${.values.serial}@1")
+                    value(".gb.date_seg" "$(list-head $(context-values ${.values.message}))")
                     value(".splunk.sc4s_template", "t_ise_message")
                     value("fields.sc4s_merge_count", "$(context-length)")
                     inherit-mode(context)