add missing fields

arkime · Dec 11, 2024 · 70a1cd3 · 70a1cd3
1 parent 5573e04
commit 70a1cd3
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 1 deletion.
diff --git a/_data/wise/elasticsearch.yml b/_data/wise/elasticsearch.yml
@@ -32,6 +32,10 @@ settings:
     value: REQUIRED
     text: Field that is required to be in the result
 
+  - key: esQueryField
+    value: REQUIRED
+    text: The field in each document that is being queried
+
 after: |
   <p>
     Example config that will query OpenSearch/Elasticsearch for an ip that is in the 10.172/16 space, in the index TheIndex-\*, only looking at records that have a \@timestamp field newer than 86400000ms. It looks at the `cef_ext.src` field and only looks at records that has a cef_ext.suser field set. Once it has a result it sets the user field in arkime to whatever the `cef_ext.suser` field is in the document.

diff --git a/_data/wise/field-actions.yml b/_data/wise/field-actions.yml
@@ -0,0 +1,13 @@
+name: FIeld Actions
+
+before: |
+  <p>
+    Not really a WISE data source, this source monitors configured files, redis urls, or OpenSearch/Elasticsearch urls for field actions to send to all the viewer instances that connect to this WISE Server. Each file needs to have its own section, with the section name starting with `fieldactions:`. The format of the monitored files is the same as [WISE](settings#wise). It will auto reload the fieldactions files if they change.
+    <br>
+    Create a <code>[fieldactions:UNIQUENAME]</code> section to configure
+  </p>
+
+settings:
+  - key: url
+    value: REQUIRED
+    text: The file to load, can be a file path, redis url (Format is redis://[:password@]host:port/db-number/key, redis-sentinel://[[sentinelPassword]:[password]@]host[:port]/redis-name/db-number/key, or redis-cluster://[:password@]host:port/db-number/key), or elasticsearch url (Format elasticsearch://host:9200/INDEX/_doc/DOCNAME with elasticsearchs:// also supported.)
diff --git a/_data/wise/redis.yml b/_data/wise/redis.yml
@@ -9,10 +9,14 @@ before: |
   </p>
 
 settings:
-  - key: url
+  - key: redisURL
     value: REQUIRED
     text: The format is `[redis:]//[[user][:password@]]host:port[/db-number]`
 
+  - key: redisMethod
+    value: get
+    text: The lowercase redis method to retrieve values
+
   - key: tags
     value: REQUIRED
     text: Comma separated list of tags to set for matches
@@ -32,3 +36,7 @@ settings:
   - key: template
     value: "%key%"
     text: The template when forming the key name. %key% = the key being looked up, %type% = the type being looked up.
+
+  - key: keyPath
+    value: REQUIRED
+    text: The path of what field to use as the key when in json/jsonl mode
diff --git a/_data/wise/splunk.yml b/_data/wise/splunk.yml
@@ -42,6 +42,18 @@ settings:
     value: 5
     text: The Splunk api version to use
 
+  - key: username
+    value: REQUIRED
+    text: The Splunk username
+
+  - key: password
+    value: REQUIRED
+    text: The Splunk password
+
+  - key: arrayPath
+    value: EMPTY
+    text: The path of where to find the array, if the json result isn't an array
+
 after: |
   <p>
     Example config that will query Splunk for all the vpn_ip to user name mappings during the last 24 hours every 60 seconds. It will then set the user field for any ip that matches.

diff --git a/settings.html b/settings.html
@@ -92,6 +92,7 @@
   - reversedns
   - url
   - value-actions
+  - field-actions
 
 
 ---
-Original file line number
+Diff line change
@@ Expand Up / @@ -92,6 +92,7 @@ @@
       - reversedns
       - url
       - value-actions
+      - field-actions
     ---
@@ Expand Down @@