-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This change adds a field named `audit_version` to every record. The value of this field is a string that represents the time at which the audits started. The value of this field is in `YYYYmmddHHMMSS` format, e.g., `20190429180829`. This version string is created only once at the beginning of a run of all configured audits. The same version string is then used for all audits. This way, all data obtained during a single run get the same version string regardless of the actual start time of the individual audits. Additionally, this change adds two new record types. - `begin_audit`: A record with `record_type` as `begin_audit` indicates that a specific audit has started. The `audit_key` field in the `com` bucket shows which audit has started. - `end_audit`: A record of this type indicates that a specific audit has ended. The `audit_key` field in the `com` bucket shows which audit has ended. Note that the same destination target may contain multiple `begin_audit` record at the beginning of an audit. For example, if the same Splunk instance is configured both as a store as well as an alert, then it would receive one `begin_audit` record sent to the store worker and one more sent to the alert worker. This holds good for `end_audit` record too. The audit version string in these records are useful in selecting or querying the data obtained from the most recent run of an audit.
- Loading branch information
Showing
5 changed files
with
187 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.