Do I need to make any changes to the app? I don't see an eventtype.conf in the companion app but I do see a macro. In macro.conf would I set the index below?
[cisco_ios_index]
definition = (index=*)
[sla-sec2time(2)]
args = seconds,output_field
definition = eval sec2time_days=floor($seconds$/24/3600) | eval sec2time_hours=floor(($seconds$/3600)-(sec2time_days*24)) | eval sec2time_minutes = floor(($seconds$ / 60) - (sec2time_days*60*24) - (sec2time_hours * 60)) | eval sec2time_seconds = floor($seconds$ - (sec2time_days*3600*24) - (sec2time_hours * 3600) - (sec2time_minutes * 60)) | strcat sec2time_days " days " sec2time_hours "h " sec2time_minutes "m " sec2time_seconds "s" $output_field$
iseval = 0
[normalize-int(3)]
args = int_prefix_long,int_suffix,output_field
definition = eval $output_field$=$int_prefix_long$+$int_suffix$
iseval = 0
## Calling these requires the commercial "TA-cisco_ios-multi_tenancy" add-on
## BEGIN
[check_multi_tenancy]
iseval = 0
definition = rest splunk_server=local /services/apps/local/ | search title=TA-cisco_ios-multi_tenancy disabled=0
[get_tenants_for_user_role(1)]
args=user
definition = inputlookup cisco_ios_tenants | stats values(index) AS index BY tenant_name,roles | eval index=mvjoin(index,",") | eval index=replace(index,","," OR index=") | eval index="index=" + index | search [| rest splunk_server=local /services/authentication/users/$user$ | fields roles]
iseval = 0
## END
... View more