kintyre / sa-cim_vladiator Goto Github PK

| datamodel
| spath
| table _raw modelName
| search [ rest /servicesNS/nobody/Splunk_SA_CIM/data/models | search eai:appName=Splunk_SA_CIM | rename title as modelName | fields modelName ]
| search modelName!="Splunk_CIM_Validation"
| spath output=objects "objects{}"
| fields - _raw
| mvexpand objects 
| spath input=objects output=outfields "calculations{}.outputFields{}"
| spath input=objects output=fields "fields{}" 
| eval fields=mvappend(fields, outfields) 
| fields - objects outfields
| mvexpand fields 
| spath input=fields 
| table modelName owner fieldName fieldSearch displayName comment.expected_values{} comment.recommended comment.description type hidden
| rename fieldName as field comment.description as description, type as data_type, comment.recommended as recommended 
| eval possible_values=mvjoin('comment.expected_values{}', ", ") 
| eval object = owner
| appendcols [ rest splunk_server=local /servicesNS/-/-/apps/local/Splunk_SA_CIM  | rename version as cim_version | table cim_version ]
| eventstats values(cim_version) as cim_version
| rename modelName as datamodel
| rex field=object mode=sed "s/^.*?\.([^.]+)$/\1/"
| search data_type!=objectCount NOT data_type=childCount NOT field=_time NOT field=host NOT field=source NOT field=sourcetype
| table cim_version, datamodel, object, field, data_type, description, possible_values, recommended
| sort datamodel object field
| dedup datamodel object field
| outputlookup cim_dictionary_new.csv

| inputlookup cim_dictionary_new.csv | inputlookup append=t cim_validation_dictionary | sort - cim_version | search datamodel=* | fields - recommended | stats list(*) as * dc(*) as dc_* by datamodel object field | fields - dc_cim_version | eval diffs=0 | foreach dc_* [ eval diffs=if('<<FIELD>>'>1,1,0) ] | where diffs>=1 | fields - dc_*