diff --git a/default/app.conf b/default/app.conf index c9fd876..13c07df 100644 --- a/default/app.conf +++ b/default/app.conf @@ -1,6 +1,6 @@ [install] is_configured = 1 -build = 1.8.0 +build = 1.8.1 [ui] is_visible = 1 @@ -9,7 +9,7 @@ label = SA-cim_vladiator [launcher] author = hire.vladimir@gmail.com description = https://github.com/hire-vladimir/SA-cim_vladiator -version = 1.8.0 +version = 1.8.1 [package] id = SA-cim_vladiator diff --git a/default/data/ui/views/cim_dictionary.xml b/default/data/ui/views/cim_dictionary.xml index 029ce42..04354b8 100644 --- a/default/data/ui/views/cim_dictionary.xml +++ b/default/data/ui/views/cim_dictionary.xml @@ -1,4 +1,4 @@ -
+
diff --git a/default/data/ui/views/cim_validator.xml b/default/data/ui/views/cim_validator.xml index 6514605..56e533a 100644 --- a/default/data/ui/views/cim_validator.xml +++ b/default/data/ui/views/cim_validator.xml @@ -1,4 +1,4 @@ - + | datamodel $dm$ | rex max_match=999 "fieldName\":\"(?<field>[^\"]+)" | stats values(field) as field | mvexpand field | where NOT match(field, "_time|host|sourcetype|source|[A-Z]+|_bunit|_category|_priority|_requires_av|_should_update") OR match(field, "object_category") | join type=outer field [$search_type$ $cim_search$ | head $event_limit$ | fieldsummary maxvals=15 | eventstats max(count) AS total | eval percent_coverage=round(count/total*100, 2) | table field, percent_coverage, distinct_count, total, values] | spath input=values | rename {}.value AS sample_values {}.count AS sample_count distinct_count AS distinct_value_count total AS total_events | fillnull value=0 percent_coverage, distinct_value_count, total_events | mvmath field=sample_count field2=total_events | eval field_values=mvzip(mvmath_result, sample_values, " ") | lookup cim_validation_regex field | mvrex showcount=t showunmatched=t field=sample_values validation_regex | eval is_cim_valid=case(total_events==0, "severe!!!no extracted values found", percent_coverage < 90, "elevated!!!event coverage less than 90%", mvrex_unmatched_count > 0, "elevated!!!found ".mvrex_unmatched_count." unexpected values (".mvjoin(mvrex_unmatched, ", ").")", isnull(validation_regex) OR validation_regex=="", "check!!!no validation regex was found to evaluate", 1==1, "low!!!looking good!") | lookup cim_validator_recommended_fields field OUTPUT is_recommended | eval ir=if(is_recommended=="true", "star", null()) | table ir, field, total_events, distinct_value_count, percent_coverage, field_values, is_cim_valid