Add Splunk input for application, security and system

packages/system/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.12.0"
+  changes:
+    - description: Add Splunk input for application, system, and security data streams.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/890
 - version: "0.11.3"
   changes:
     - description: Updating package owner

packages/system/data_stream/application/agent/stream/httpjson.yml.hbs

@@ -0,0 +1,90 @@
+config_version: "2"
+interval: {{interval}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+cursor:
+  index_earliest:
+    value: '[[.last_event.result.max_indextime]]'
+request.url: {{url}}/services/search/jobs/export
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.method: POST
+request.transforms:
+  - set:
+      target: url.params.search
+      value: |-
+        {{search}} | streamstats max(_indextime) AS max_indextime
+  - set:
+      target: url.params.output_mode
+      value: "json"
+  - set:
+      target: url.params.index_earliest
+      value: '[[ .cursor.index_earliest ]]'
+      default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+  - set:
+      target: url.params.index_latest
+      value: '[[(now).Unix]]'
+  - set:
+      target: header.Content-Type
+      value: application/x-www-form-urlencoded
+response.decode_as: application/x-ndjson
+tags:
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains tags "forwarded"}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+  - decode_json_fields:
+      fields: message
+      target: json
+      add_error_key: true
+  - drop_event:
+      when:
+        not:
+          has_fields: ['json.result']
+  - fingerprint:
+      fields:
+        - json.result._cd
+        - json.result._indextime
+        - json.result._raw
+        - json.result._time
+        - json.result.host
+        - json.result.source
+      target_field: "@metadata._id"
+  - drop_fields:
+      fields: message
+  - rename:
+      fields:
+        - from: json.result._raw
+          to: event.original
+        - from: json.result.host
+          to: host.name
+        - from: json.result.source
+          to: event.provider
+      ignore_missing: true
+      fail_on_error: false
+  - drop_fields:
+      fields: json
+  - decode_xml:
+      field: event.original
+      target_field: winlog
+      schema: wineventlog
+      ignore_missing: true
+      ignore_failure: true
+  - timestamp:
+      field: winlog.time_created
+      layouts:
+        - '2006-01-02T15:04:05Z'
+        - '2006-01-02T15:04:05.999Z'
+        - '2006-01-02T15:04:05.999-07:00'
+      test:
+        - '2019-06-22T16:33:51Z'
+        - '2019-11-18T04:59:51.123Z'
+        - '2020-08-03T07:10:20.123456+02:00'
+  - add_fields:
+      target: ''
+      fields:
+        ecs.version: 1.8.0

packages/system/data_stream/application/manifest.yml

@@ -6,3 +6,29 @@ streams:
     template_path: winlog.yml.hbs
     title: Application
     description: 'Collect Windows application logs'
+  - input: httpjson
+    title: Windows Application Events via Splunk Enterprise REST API
+    description: Collect Application Events via Splunk Enterprise REST API
+    enabled: false
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: interval
+        type: text
+        title: Interval to query Splunk Enterprise REST API
+        description: Go Duration syntax (eg. 10s)
+        show_user: true
+        required: true
+        default: 10s
+      - name: search
+        type: text
+        title: Splunk search string
+        show_user: false
+        required: true
+        default: "search sourcetype=\"XmlWinEventLog:Application\""
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded