Hi @TestUser , I don't know of any best practices for such a check, the only advice I can give you is to use common sense: follow the procedure you indicated that seems correct to me: verify (if ...
See more...
Hi @TestUser , I don't know of any best practices for such a check, the only advice I can give you is to use common sense: follow the procedure you indicated that seems correct to me: verify (if you haven't already done so) that before the upgrade there are no parsing and normalization problems, if possible, use a data set that you have already acquired with the old version of the add-on, at the end, don't just check that the data parsing is correct, but also check that the normalization rules that the add-on must have if it is CIM compliant (otherwise it is not relevant) are correctly applied (eventtype, tags and fields. About tools, I usually use the SA_CIM-Vladiator app (https://splunkbase.splunk.com/app/2968) to check the normalization status but there are also other tools to check the CIM compliance of a data flow. Ciao. Giuseppe