I'm having issues with eventtypes not correctly being applied from VMware Carbon Black Cloud ingest that I can't figure out, as each search in the chain successfully finds events. These are the three eventtypes that chain together. The first two apply correctly (vmware_cbc_base_index, vmware_cbc_alerts), but not the third (vmware_cbc_malware).
From eventtypes.conf:
[vmware_cbc_base_index]
search = index=carbonblack_audit
[vmware_cbc_alerts]
search = eventtype=vmware_cbc_base_index sourcetype="vmware:cbc:s3:alerts" OR sourcetype="vmware:cbc:alerts"
[vmware_cbc_malware]
search = eventtype=vmware_cbc_alerts threat_cause_threat_category="*MALWARE*" NOT threat_cause_threat_category="*NON_MALWARE*"
eventtype count
vmware_cbc_alerts 65
vmware_cbc_base_index 65
Can anyone help me figure out why this third eventtype is not being applied?
Sigh, nevermind, this was an issue with exports in default.meta.