I'm using a bash script to call Cisco ESA API and I get the following JSON events.
sourcetype="cisco:esa:api:by:hour" uri="/api/v1.0/stats/mail_incoming_traffic_summary?1h" | spath | rename data.blocked_dmarc AS Stopped_by_DMARC, data.blocked_invalid_recipient AS Stopped_as_Invalid_Recipients, data.blocked_reputation AS Stopped_by_Reputation_Filtering, data.bulk_mail AS Bulk_Messages, data.detected_amp AS Detected_by_Advanced_Malware_Protection, data.detected_spam AS Spam_Detected, data.detected_virus AS Virus_Detected, data.ims_spam_increment_over_case AS Additional_Spam_Detected_by_Intelligent_Multi-Scan, data.malicious_url AS Messages_with_Malicious_URLs, data.marketing_mail AS Marketing_Messages, data.social_mail AS Social_Networking_Messages, data.threat_content_filter AS Stopped_by_Content_Filter, data.total_clean_recipients AS Clean_Messages, data.total_graymail_recipients AS Total_Graymails, data.total_recipients AS Total_Attempted_Messages, data.total_threat_recipients AS Total_Threat_Messages, data.verif_decrypt_fail AS S-MIME_Verification-Decryption_Failed, data.verif_decrypt_success AS S-MIME_Verification-Decryption_Successful | table _time, Stopped_by_DMARC, Stopped_as_Invalid_Recipients, Stopped_by_Reputation_Filtering, Bulk_Messages, Detected_by_Advanced_Malware_Protection, Spam_Detected, Virus_Detected, Additional_Spam_Detected_by_Intelligent_Multi-Scan, Messages_with_Malicious_URLs, Marketing_Messages, Social_Networking_Messages, Stopped_by_Content_Filter, Clean_Messages, Total_Graymails, Total_Attempted_Messages, Total_Threat_Messages, S-MIME_Verification-Decryption_Failed, S-MIME_Verification-Decryption_Successful
when I use "spath" and "table" to convert it to table always have the duplicate events as following
I referred to another answer and modified props.conf as follows:
[source::...ta-cisco-esa-api*.log*]
SHOULD_LINEMERGE = true
sourcetype = ta:cisco:esa:api:log
[source::...ta_cisco_esa_api*.log*]
SHOULD_LINEMERGE = true
sourcetype = ta:cisco:esa:api:log
[cisco:esa:api]
TRANSFORMS-send-data-to-index-queue = setparsing
category = Splunk App Add-on Builder
pulldown_type = 1
DATETIME_CONFIG =
NO_BINARY_CHECK = true
disabled = false
KV_MODE = none
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS = json
[cisco:esa:api:by:hour]
SHOULD_LINEMERGE = true
category = Splunk App Add-on Builder
pulldown_type = 1
DATETIME_CONFIG =
NO_BINARY_CHECK = true
TRANSFORMS-send-data-to-index-queue = setparsing
disabled = false
KV_MODE = none
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS = json
If I removed "KV_MODE = none, AUTO_KV_JSON = false, INDEXED_EXTRACTIONS = json" the search results would be the same three records.
How can I have a unique event? Thanks!
... View more