From ed318249ecb830c3c7acb6bf43fc3645760969d1 Mon Sep 17 00:00:00 2001
From: Arne Oslebo <arne.oslebo@uninett.no>
Date: Fri, 5 Feb 2021 13:30:36 +0100
Subject: [PATCH] new pipeline for easier ingestion of custom data
---
roles/nifi/templates/flow.xml.j2 | 3265 +++++++++++++++++++-----------
1 file changed, 2054 insertions(+), 1211 deletions(-)
diff --git a/roles/nifi/templates/flow.xml.j2 b/roles/nifi/templates/flow.xml.j2
index ec45218..0dd2bc3 100644
--- a/roles/nifi/templates/flow.xml.j2
+++ b/roles/nifi/templates/flow.xml.j2
@@ -3843,26 +3843,33 @@
<flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
<flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
<outputPort>
- <id>21a9e277-2d80-359a-9c57-cb76d8962e6d</id>
- <name>To data output</name>
- <position x="-1120.0" y="592.0" />
+ <id>20b01ab3-3a8d-3573-b95d-a4a45494050f</id>
+ <name>To enrichment</name>
+ <position x="168.0" y="616.0" />
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
<outputPort>
- <id>20b01ab3-3a8d-3573-b95d-a4a45494050f</id>
- <name>To enrichment</name>
- <position x="480.0" y="392.0" />
+ <id>21a9e277-2d80-359a-9c57-cb76d8962e6d</id>
+ <name>To data output</name>
+ <position x="-840.0" y="512.0" />
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
<processGroup>
<id>27d51d04-0172-1000-0000-00004573c6ec</id>
<name>Custom data inputs</name>
- <position x="-504.0" y="952.0" />
+ <position x="-496.0" y="560.0" />
<comment />
<flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
<flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
+ <inputPort>
+ <id>71b3817e-0177-1000-ffff-ffffd4a7af96</id>
+ <name>Filebeat input</name>
+ <position x="-431.0000286470686" y="90.00002230822065" />
+ <comments />
+ <scheduledState>STOPPED</scheduledState>
+ </inputPort>
<outputPort>
<id>27d5dab2-0172-1000-ffff-ffffab5c50be</id>
<name>To data output</name>
@@ -3879,19 +3886,19 @@
</outputPort>
</processGroup>
<processGroup>
- <id>0c790562-0175-1000-ffff-ffffeaaeafc3</id>
- <name>FileBeat</name>
- <position x="-496.0" y="344.0" />
+ <id>67153f53-be2c-169b-8f0e-a6506c0be321</id>
+ <name>Common ListenBeats</name>
+ <position x="-496.0" y="328.0" />
<comment />
<flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
<flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
<processor>
- <id>8962ad5a-0175-1000-ffff-ffffde6db5a6</id>
- <name>RouteOnAttribute</name>
- <position x="-1080.0" y="280.0" />
+ <id>5b913a03-c87d-174e-a898-0bb224dc864c</id>
+ <name>Prepend [</name>
+ <position x="-1086.1517800521056" y="160.65881341602864" />
<styles />
<comment />
- <class>org.apache.nifi.processors.standard.RouteOnAttribute</class>
+ <class>org.apache.nifi.processors.standard.ReplaceText</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
@@ -3908,122 +3915,510 @@
<executionNode>ALL</executionNode>
<runDurationNanos>0</runDurationNanos>
<property>
- <name>Routing Strategy</name>
- <value>Route to Property name</value>
+ <name>Regular Expression</name>
+ <value>(?s)(^.*$)</value>
</property>
<property>
- <name>keycloak</name>
- <value>${log_type:equals("keycloak")}</value>
+ <name>Replacement Value</name>
+ <value>[</value>
</property>
<property>
- <name>kibana</name>
- <value>${log_type:equals("kibana")}</value>
+ <name>Character Set</name>
+ <value>UTF-8</value>
</property>
<property>
- <name>elasticsearch</name>
- <value>${log_type:equals("elasticsearch")}</value>
+ <name>Maximum Buffer Size</name>
+ <value>2 MB</value>
</property>
<property>
- <name>suricata</name>
- <value>${log_type:equals("suricata")}</value>
+ <name>Replacement Strategy</name>
+ <value>Prepend</value>
</property>
<property>
- <name>haproxy</name>
- <value>${log_type:equals("haproxy")}</value>
+ <name>Evaluation Mode</name>
+ <value>Entire text</value>
</property>
<property>
- <name>mysql</name>
- <value>${log_type:equals("mysql")}</value>
+ <name>Line-by-Line Evaluation Mode</name>
+ <value>All</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>6b723027-a251-1ef5-8754-96be5d4737d3</id>
+ <name>PartitionRecord</name>
+ <position x="-424.0" y="368.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.PartitionRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>record-reader</name>
+ <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
</property>
<property>
- <name>zeek</name>
- <value>${log_type:equals("zeek")}</value>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
</property>
<property>
- <name>nifi</name>
- <value>${log_type:equals("nifi")}</value>
+ <name>log_type</name>
+ <value>/fields/log_type</value>
</property>
<property>
- <name>zookeeper</name>
- <value>${log_type:equals("zookeeper")}</value>
+ <name>source_host</name>
+ <value>/host/name</value>
+ </property>
+ <property>
+ <name>source_file</name>
+ <value>/log/file/path</value>
</property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ <autoTerminatedRelationship>original</autoTerminatedRelationship>
</processor>
- <outputPort>
- <id>bcb879d5-0175-1000-0000-000070879ad0</id>
- <name>To data output</name>
- <position x="-2480.0" y="336.0" />
- <comments />
+ <processor>
+ <id>1b733cdc-2195-19ac-b33d-e8d606b07426</id>
+ <name>ListenBeats</name>
+ <position x="-1076.9243538376497" y="-51.550721133258094" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.beats.ListenBeats</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-beats-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
<scheduledState>RUNNING</scheduledState>
- </outputPort>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>Local Network Interface</name>
+ </property>
+ <property>
+ <name>Port</name>
+ <value>6006</value>
+ </property>
+ <property>
+ <name>Receive Buffer Size</name>
+ <value>1024kb</value>
+ </property>
+ <property>
+ <name>Max Size of Message Queue</name>
+ <value>10000</value>
+ </property>
+ <property>
+ <name>Max Size of Socket Buffer</name>
+ <value>4 MB</value>
+ </property>
+ <property>
+ <name>Character Set</name>
+ <value>UTF-8</value>
+ </property>
+ <property>
+ <name>Max Batch Size</name>
+ <value>500</value>
+ </property>
+ <property>
+ <name>Message Delimiter</name>
+ <value>,\n</value>
+ </property>
+ <property>
+ <name>Max Number of TCP Connections</name>
+ <value>200</value>
+ </property>
+ <property>
+ <name>SSL_CONTEXT_SERVICE</name>
+ </property>
+ <property>
+ <name>Client Auth</name>
+ <value>NONE</value>
+ </property>
+ </processor>
+ <processor>
+ <id>41c9332f-28f2-11ff-9a4d-1559980dec52</id>
+ <name>Append ]</name>
+ <position x="-424.0" y="160.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.ReplaceText</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>Regular Expression</name>
+ <value>(?s)(^.*$)</value>
+ </property>
+ <property>
+ <name>Replacement Value</name>
+ <value>]</value>
+ </property>
+ <property>
+ <name>Character Set</name>
+ <value>UTF-8</value>
+ </property>
+ <property>
+ <name>Maximum Buffer Size</name>
+ <value>2 MB</value>
+ </property>
+ <property>
+ <name>Replacement Strategy</name>
+ <value>Append</value>
+ </property>
+ <property>
+ <name>Evaluation Mode</name>
+ <value>Entire text</value>
+ </property>
+ <property>
+ <name>Line-by-Line Evaluation Mode</name>
+ <value>All</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>15323c1c-21bd-1a4b-97f0-159306d10eee</id>
+ <name>Rename @ fields</name>
+ <position x="-1080.0" y="360.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.JoltTransformJSON</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>jolt-transform</name>
+ <value>jolt-transform-chain</value>
+ </property>
+ <property>
+ <name>jolt-custom-class</name>
+ </property>
+ <property>
+ <name>jolt-custom-modules</name>
+ </property>
+ <property>
+ <name>jolt-spec</name>
+ <value>[{
+ "operation": "shift",
+ "spec": {
+ "*": {
+ "\\@timestamp":"[&1].timestamp",
+ "\\@metadata":"[&1].metadata",
+ "*": "[&1].&"
+ }
+ }
+}]</value>
+ </property>
+ <property>
+ <name>Transform Cache Size</name>
+ <value>1</value>
+ </property>
+ <property>
+ <name>pretty_print</name>
+ <value>false</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
<outputPort>
- <id>349b32fe-a821-1197-0000-00003a0b6fe5</id>
- <name>To enrichment</name>
- <position x="744.0" y="920.0" />
+ <id>9ab934fe-0c30-14b7-b8f5-dd9ffa4f3844</id>
+ <name>Output</name>
+ <position x="-360.0" y="704.0" />
<comments />
- <scheduledState>RUNNING</scheduledState>
+ <scheduledState>STOPPED</scheduledState>
</outputPort>
- <processGroup>
- <id>89636688-0175-1000-ffff-ffffb1b28a38</id>
- <name>Unknown data</name>
- <position x="-448.0" y="64.0" />
- <comment />
- <flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
- <flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
- <processor>
- <id>8963d0f9-0175-1000-0000-000054fbe086</id>
- <name>UpdateAttribute</name>
- <position x="392.0" y="248.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.attributes.UpdateAttribute</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-update-attribute-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>Delete Attributes Expression</name>
- </property>
- <property>
- <name>Store State</name>
- <value>Do not store state</value>
- </property>
- <property>
- <name>Stateful Variables Initial Value</name>
- </property>
- <property>
- <name>canonical-value-lookup-cache-size</name>
- <value>100</value>
- </property>
- <property>
- <name>data_index</name>
- <value>logs-filebeat-unknown</value>
- </property>
- </processor>
- <inputPort>
- <id>89639d3d-0175-1000-ffff-ffffb446c257</id>
- <name>Input</name>
- <position x="444.0000243687773" y="80.00000220501622" />
- <comments />
- <scheduledState>RUNNING</scheduledState>
- </inputPort>
- <outputPort>
- <id>8963b202-0175-1000-0000-000022d64ba2</id>
- <name>Output</name>
- <position x="456.0" y="504.0" />
- <comments />
- <scheduledState>RUNNING</scheduledState>
- </outputPort>
+ <connection>
+ <id>06ea3452-d772-1619-9138-03fb1d23ba8f</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>15323c1c-21bd-1a4b-97f0-159306d10eee</sourceId>
+ <sourceGroupId>67153f53-be2c-169b-8f0e-a6506c0be321</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>6b723027-a251-1ef5-8754-96be5d4737d3</destinationId>
+ <destinationGroupId>67153f53-be2c-169b-8f0e-a6506c0be321</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>0ea63f01-7efa-15a6-844a-d0e41c9d576e</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>1b733cdc-2195-19ac-b33d-e8d606b07426</sourceId>
+ <sourceGroupId>67153f53-be2c-169b-8f0e-a6506c0be321</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>5b913a03-c87d-174e-a898-0bb224dc864c</destinationId>
+ <destinationGroupId>67153f53-be2c-169b-8f0e-a6506c0be321</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>fa2a313f-b074-1c33-b6c5-8e97e16a2270</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>6b723027-a251-1ef5-8754-96be5d4737d3</sourceId>
+ <sourceGroupId>67153f53-be2c-169b-8f0e-a6506c0be321</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>9ab934fe-0c30-14b7-b8f5-dd9ffa4f3844</destinationId>
+ <destinationGroupId>67153f53-be2c-169b-8f0e-a6506c0be321</destinationGroupId>
+ <destinationType>OUTPUT_PORT</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>fd743a79-9c8a-1ea0-8d9c-30a455ba14a1</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>41c9332f-28f2-11ff-9a4d-1559980dec52</sourceId>
+ <sourceGroupId>67153f53-be2c-169b-8f0e-a6506c0be321</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>15323c1c-21bd-1a4b-97f0-159306d10eee</destinationId>
+ <destinationGroupId>67153f53-be2c-169b-8f0e-a6506c0be321</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>204134f3-840c-1ee1-abae-809970b948ed</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>5b913a03-c87d-174e-a898-0bb224dc864c</sourceId>
+ <sourceGroupId>67153f53-be2c-169b-8f0e-a6506c0be321</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>41c9332f-28f2-11ff-9a4d-1559980dec52</destinationId>
+ <destinationGroupId>67153f53-be2c-169b-8f0e-a6506c0be321</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ </processGroup>
+ <processGroup>
+ <id>0c790562-0175-1000-ffff-ffffeaaeafc3</id>
+ <name>SOCTools</name>
+ <position x="-504.0" y="120.0" />
+ <comment />
+ <flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
+ <flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
+ <processor>
+ <id>8962ad5a-0175-1000-ffff-ffffde6db5a6</id>
+ <name>RouteOnAttribute</name>
+ <position x="-1080.0" y="280.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.RouteOnAttribute</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>Routing Strategy</name>
+ <value>Route to Property name</value>
+ </property>
+ <property>
+ <name>keycloak</name>
+ <value>${log_type:equals("keycloak")}</value>
+ </property>
+ <property>
+ <name>kibana</name>
+ <value>${log_type:equals("kibana")}</value>
+ </property>
+ <property>
+ <name>elasticsearch</name>
+ <value>${log_type:equals("elasticsearch")}</value>
+ </property>
+ <property>
+ <name>suricata</name>
+ <value>${log_type:equals("suricata")}</value>
+ </property>
+ <property>
+ <name>haproxy</name>
+ <value>${log_type:equals("haproxy")}</value>
+ </property>
+ <property>
+ <name>misp</name>
+ <value>${log_type:equals("misp")}</value>
+ </property>
+ <property>
+ <name>mysql</name>
+ <value>${log_type:equals("mysql")}</value>
+ </property>
+ <property>
+ <name>zeek</name>
+ <value>${log_type:equals("zeek")}</value>
+ </property>
+ <property>
+ <name>nifi</name>
+ <value>${log_type:equals("nifi")}</value>
+ </property>
+ <property>
+ <name>zookeeper</name>
+ <value>${log_type:equals("zookeeper")}</value>
+ </property>
+ </processor>
+ <outputPort>
+ <id>349b32fe-a821-1197-0000-00003a0b6fe5</id>
+ <name>To enrichment</name>
+ <position x="736.0" y="592.0" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </outputPort>
+ <outputPort>
+ <id>bcb879d5-0175-1000-0000-000070879ad0</id>
+ <name>To data output</name>
+ <position x="-2480.0" y="336.0" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </outputPort>
+ <processGroup>
+ <id>89636688-0175-1000-ffff-ffffb1b28a38</id>
+ <name>Unknown data</name>
+ <position x="-440.0" y="-152.0" />
+ <comment />
+ <flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
+ <flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
+ <processor>
+ <id>8963d0f9-0175-1000-0000-000054fbe086</id>
+ <name>UpdateAttribute</name>
+ <position x="392.0" y="248.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.attributes.UpdateAttribute</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-update-attribute-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>Delete Attributes Expression</name>
+ </property>
+ <property>
+ <name>Store State</name>
+ <value>Do not store state</value>
+ </property>
+ <property>
+ <name>Stateful Variables Initial Value</name>
+ </property>
+ <property>
+ <name>canonical-value-lookup-cache-size</name>
+ <value>100</value>
+ </property>
+ <property>
+ <name>data_index</name>
+ <value>logs-filebeat-unknown</value>
+ </property>
+ </processor>
+ <inputPort>
+ <id>89639d3d-0175-1000-ffff-ffffb446c257</id>
+ <name>Input</name>
+ <position x="444.0000243687773" y="80.00000220501622" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </inputPort>
+ <outputPort>
+ <id>8963b202-0175-1000-0000-000022d64ba2</id>
+ <name>Output</name>
+ <position x="456.0" y="504.0" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </outputPort>
<connection>
<id>8963e649-0175-1000-ffff-fffff03ab629</id>
<name />
@@ -4819,19 +5214,19 @@
</connection>
</processGroup>
<processGroup>
- <id>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</id>
- <name>Suricata</name>
- <position x="-448.0" y="264.0" />
+ <id>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</id>
+ <name>Mysql</name>
+ <position x="-440.0" y="1272.0" />
<comment />
<flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
<flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
<processor>
- <id>8d1bef35-0175-1000-0000-0000746fa33d</id>
- <name>RouteOnAttribute</name>
- <position x="-984.0" y="640.0" />
+ <id>14453e90-7646-1485-ffff-ffff81f3c683</id>
+ <name>Add header</name>
+ <position x="344.0" y="-8.0" />
<styles />
<comment />
- <class>org.apache.nifi.processors.standard.RouteOnAttribute</class>
+ <class>org.apache.nifi.processors.standard.ReplaceText</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
@@ -4848,31 +5243,49 @@
<executionNode>ALL</executionNode>
<runDurationNanos>0</runDurationNanos>
<property>
- <name>Routing Strategy</name>
- <value>Route to Property name</value>
+ <name>Regular Expression</name>
+ <value>(?s)(^.*$)</value>
</property>
<property>
- <name>dns</name>
- <value>${event_type:equals("dns")}</value>
+ <name>Replacement Value</name>
+ <value>timestamp,serverhost,username,host,connectionid,queryid,operation,database,object,retcode
+</value>
</property>
<property>
- <name>tls</name>
- <value>${event_type:equals("tls")}</value>
+ <name>Character Set</name>
+ <value>UTF-8</value>
</property>
- </processor>
- <processor>
- <id>24e1d8ed-10f4-3b46-958c-f2fb676e3192</id>
- <name>Normalize fields</name>
- <position x="-987.5658863682004" y="234.96963460665665" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.JoltTransformJSON</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
+ <property>
+ <name>Maximum Buffer Size</name>
+ <value>1 MB</value>
+ </property>
+ <property>
+ <name>Replacement Strategy</name>
+ <value>Prepend</value>
+ </property>
+ <property>
+ <name>Evaluation Mode</name>
+ <value>Entire text</value>
+ </property>
+ <property>
+ <name>Line-by-Line Evaluation Mode</name>
+ <value>All</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>e0bd3907-2d13-1407-b2dd-48591e65e59d</id>
+ <name>UpdateRecord</name>
+ <position x="-336.0" y="416.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.UpdateRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
<schedulingPeriod>0 sec</schedulingPeriod>
<penalizationPeriod>30 sec</penalizationPeriod>
<yieldPeriod>1 sec</yieldPeriod>
@@ -4883,60 +5296,38 @@
<executionNode>ALL</executionNode>
<runDurationNanos>0</runDurationNanos>
<property>
- <name>jolt-transform</name>
- <value>jolt-transform-chain</value>
+ <name>record-reader</name>
+ <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
</property>
<property>
- <name>jolt-custom-class</name>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
</property>
<property>
- <name>jolt-custom-modules</name>
+ <name>replacement-value-strategy</name>
+ <value>literal-value</value>
</property>
<property>
- <name>jolt-spec</name>
- <value>[{
- "operation": "shift",
- "spec": {
- "*": {
- "json": {
- "*": "[&2].&"
- },
- "host": {
- "name": "[&2].labels.source_host"
- },
- "source": "[&1].labels.source"
- }
- }
-}, {
- "operation": "shift",
- "spec": {
- "*": {
- "dest_ip":"[&1].destination.ip",
- "dest_port":"[&1].destination.port",
- "src_ip":"[&1].source.ip",
- "src_port":"[&1].source.port",
- "*": "[&1].&"
- }
- }
-}]</value>
+ <name>/event_type</name>
+ <value>log</value>
</property>
<property>
- <name>Transform Cache Size</name>
- <value>1</value>
+ <name>/labels/source_host</name>
+ <value>${source_host}</value>
</property>
<property>
- <name>pretty_print</name>
- <value>false</value>
+ <name>/timestamp</name>
+ <value>${field.value:toDate('yyMMdd HH:mm:ss'):format("yyyy-MM-dd'T'HH:mm:ss.SSSXXX")}</value>
</property>
<autoTerminatedRelationship>failure</autoTerminatedRelationship>
</processor>
<processor>
- <id>fd6b6513-51f8-3a96-a764-13bd39ec7f84</id>
- <name>Partition records based on event_type</name>
- <position x="-382.59400260581754" y="446.9900134408068" />
+ <id>50813f6b-a5f6-1a98-8ae4-115134714332</id>
+ <name>UpdateRecord</name>
+ <position x="352.0" y="472.0" />
<styles />
<comment />
- <class>org.apache.nifi.processors.standard.PartitionRecord</class>
+ <class>org.apache.nifi.processors.standard.UpdateRecord</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
@@ -4961,19 +5352,61 @@
<value>17b30955-5464-3709-8a32-69a459850cfa</value>
</property>
<property>
- <name>event_type</name>
- <value>/event_type</value>
+ <name>replacement-value-strategy</name>
+ <value>literal-value</value>
+ </property>
+ <property>
+ <name>/event_type</name>
+ <value>audit</value>
+ </property>
+ <property>
+ <name>/labels/source_host</name>
+ <value>${source_host}</value>
+ </property>
+ <property>
+ <name>/timestamp</name>
+ <value>${field.value:toDate('yyyyMMdd HH:mm:ss'):format("yyyy-MM-dd'T'HH:mm:ss.SSSXXX")}</value>
</property>
<autoTerminatedRelationship>failure</autoTerminatedRelationship>
- <autoTerminatedRelationship>original</autoTerminatedRelationship>
</processor>
<processor>
- <id>1a038948-9e9a-3523-b899-990077bfd575</id>
- <name>Convert timestamp</name>
- <position x="-385.7461824498648" y="233.13395543765722" />
+ <id>e4353681-23e9-15af-0000-000032ea35e3</id>
+ <name>RouteOnAttribute</name>
+ <position x="-352.0" y="0.0" />
<styles />
<comment />
- <class>org.apache.nifi.processors.standard.UpdateRecord</class>
+ <class>org.apache.nifi.processors.standard.RouteOnAttribute</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>Routing Strategy</name>
+ <value>Route to Property name</value>
+ </property>
+ <property>
+ <name>audit</name>
+ <value>${source_file:contains("audit")}</value>
+ </property>
+ </processor>
+ <processor>
+ <id>f92d3f77-958a-1344-bd3b-7c93457e5c12</id>
+ <name>Extract message</name>
+ <position x="-360.0" y="-216.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.ConvertRecord</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
@@ -4995,30 +5428,54 @@
</property>
<property>
<name>record-writer</name>
- <value>17b30955-5464-3709-8a32-69a459850cfa</value>
+ <value>bc8e5957-0175-1000-0000-00003346421d</value>
</property>
<property>
- <name>replacement-value-strategy</name>
- <value>literal-value</value>
+ <name>include-zero-record-flowfiles</name>
+ <value>true</value>
</property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>92693a34-99da-1004-adfb-bdf4aa7e1c30</id>
+ <name>Convert to json</name>
+ <position x="352.0" y="240.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.ConvertRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
<property>
- <name>/TLP</name>
- <value>AMBER</value>
+ <name>record-reader</name>
+ <value>14453a95-7646-1485-0000-00002c675762</value>
</property>
<property>
- <name>/mime.type</name>
- <value>application/json</value>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
</property>
<property>
- <name>/timestamp</name>
- <value>${field.value:replaceFirst('\+(\d\d)(\d\d)','+$1:$2')}</value>
+ <name>include-zero-record-flowfiles</name>
+ <value>false</value>
</property>
<autoTerminatedRelationship>failure</autoTerminatedRelationship>
</processor>
<processor>
- <id>46cdd7aa-91f0-307c-90aa-65747e558f25</id>
- <name>Add attributes</name>
- <position x="-984.0" y="456.0" />
+ <id>48723b8e-fae0-14e6-afdc-85c239646dc0</id>
+ <name>UpdateAttribute</name>
+ <position x="-320.0" y="648.0" />
<styles />
<comment />
<class>org.apache.nifi.processors.attributes.UpdateAttribute</class>
@@ -5051,674 +5508,258 @@
<name>canonical-value-lookup-cache-size</name>
<value>100</value>
</property>
- <property>
- <name>data_id</name>
- <value>suricata-${event_type}</value>
- </property>
<property>
<name>data_index</name>
- <value>logs-${beats.sender:substringBeforeLast('/'):substringBeforeLast('.'):substringAfterLast('.')}-suricata-${event_type}</value>
+ <value>logs-mysql</value>
</property>
<property>
- <name>data_type</name>
- <value>suricata</value>
+ <name>enrich_ip1</name>
+ <value>/client.ip</value>
</property>
+ </processor>
+ <processor>
+ <id>14453a41-7646-1485-b398-28f819de4a45</id>
+ <name>Convert to json</name>
+ <position x="-336.0" y="200.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.ConvertRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
<property>
- <name>enrich_ip2</name>
- <value>/destination/ip</value>
+ <name>record-reader</name>
+ <value>70ea12d7-0176-1000-ffff-ffffee2ee306</value>
</property>
<property>
- <name>enrich_ip1</name>
- <value>/source/ip</value>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
</property>
<property>
- <name>TLP</name>
- <value>AMBER</value>
+ <name>include-zero-record-flowfiles</name>
+ <value>false</value>
</property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
</processor>
<inputPort>
- <id>8d13c952-0175-1000-0000-00007e8f4cae</id>
+ <id>7f683020-779c-1bc9-85da-5bad079d5d9d</id>
<name>Input</name>
- <position x="-928.0" y="16.0" />
+ <position x="-312.0" y="-336.0" />
<comments />
<scheduledState>RUNNING</scheduledState>
</inputPort>
<outputPort>
- <id>055308a4-d020-39a9-9da4-b165796ef717</id>
- <name>To enrichment</name>
- <position x="-928.0" y="1208.0" />
+ <id>bcbb33ba-112e-1f53-8982-d5ae9f0e701f</id>
+ <name>Output</name>
+ <position x="-256.0" y="960.0" />
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
- <processGroup>
- <id>8d1afcd0-0175-1000-ffff-ffffb3690a74</id>
- <name>TLS events</name>
- <position x="-384.0" y="872.0" />
- <comment />
- <flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
- <flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
- <processor>
- <id>9279850b-0175-1000-0000-00001e74d182</id>
- <name>Copy SNI</name>
- <position x="504.0" y="320.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.UpdateRecord</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>record-reader</name>
- <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
- </property>
- <property>
- <name>record-writer</name>
- <value>17b30955-5464-3709-8a32-69a459850cfa</value>
- </property>
- <property>
- <name>replacement-value-strategy</name>
- <value>record-path-value</value>
- </property>
- <property>
- <name>/tls/sni_length</name>
- <value>/tls/sni</value>
- </property>
- <property>
- <name>/tls/sni_domain_length</name>
- <value>/tls/sni</value>
- </property>
- <property>
- <name>/tls/sni_domain</name>
- <value>/tls/sni</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
- <processor>
- <id>349b3279-a821-1197-aaa6-7e5472dccbef</id>
- <name>Add sni_domain ++</name>
- <position x="504.0" y="544.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.UpdateRecord</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>record-reader</name>
- <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
- </property>
- <property>
- <name>record-writer</name>
- <value>17b30955-5464-3709-8a32-69a459850cfa</value>
- </property>
- <property>
- <name>replacement-value-strategy</name>
- <value>literal-value</value>
- </property>
- <property>
- <name>/tls/sni_length</name>
- <value>${field.value:length():toNumber()}</value>
- </property>
- <property>
- <name>/tls/sni_domain_length</name>
- <value>${field.value:substringBeforeLast('.'):substringAfterLast('.'):append(${field.value:substringAfterLast('.'):prepend('.')}):length():toNumber()}</value>
- </property>
- <property>
- <name>/tls/sni_domain</name>
- <value>${field.value:substringBeforeLast('.'):substringAfterLast('.'):append(${field.value:substringAfterLast('.'):prepend('.')})}</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
- <processor>
- <id>349b3291-a821-1197-0000-000032560c6a</id>
- <name>Specify enrichment fields</name>
- <position x="504.0" y="752.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.attributes.UpdateAttribute</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-update-attribute-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>Delete Attributes Expression</name>
- </property>
- <property>
- <name>Store State</name>
- <value>Do not store state</value>
- </property>
- <property>
- <name>Stateful Variables Initial Value</name>
- </property>
- <property>
- <name>canonical-value-lookup-cache-size</name>
- <value>100</value>
- </property>
- <property>
- <name>enrich_domain1</name>
- <value>/tls/sni_domain</value>
- </property>
- <property>
- <name>enrich_fqdn1</name>
- <value>/tls/sni</value>
- </property>
- </processor>
- <inputPort>
- <id>92795a59-0175-1000-ffff-ffff89bc5f21</id>
- <name>Input</name>
- <position x="552.9999060626994" y="144.00001181679164" />
- <comments />
- <scheduledState>RUNNING</scheduledState>
- </inputPort>
- <outputPort>
- <id>349b32d8-a821-1197-0000-000025a75a3b</id>
- <name>Output</name>
- <position x="552.0" y="976.0" />
- <comments />
- <scheduledState>RUNNING</scheduledState>
- </outputPort>
- <connection>
- <id>9279996e-0175-1000-0000-000037fbed8b</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>92795a59-0175-1000-ffff-ffff89bc5f21</sourceId>
- <sourceGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</sourceGroupId>
- <sourceType>INPUT_PORT</sourceType>
- <destinationId>9279850b-0175-1000-0000-00001e74d182</destinationId>
- <destinationGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship />
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>349b3297-a821-1197-0000-0000717807b6</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>349b3279-a821-1197-aaa6-7e5472dccbef</sourceId>
- <sourceGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>349b3291-a821-1197-0000-000032560c6a</destinationId>
- <destinationGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>349b327f-a821-1197-ffff-ffff8946a863</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>9279850b-0175-1000-0000-00001e74d182</sourceId>
- <sourceGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>349b3279-a821-1197-aaa6-7e5472dccbef</destinationId>
- <destinationGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>349b32da-a821-1197-0000-000047979e25</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>349b3291-a821-1197-0000-000032560c6a</sourceId>
- <sourceGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>349b32d8-a821-1197-0000-000025a75a3b</destinationId>
- <destinationGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</destinationGroupId>
- <destinationType>OUTPUT_PORT</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- </processGroup>
- <processGroup>
- <id>8d1ad21f-0175-1000-0000-00003c540411</id>
- <name>DNS events</name>
- <position x="-1000.0" y="872.0" />
- <comment />
- <flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
- <flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
- <processor>
- <id>8d37fe91-0175-1000-ffff-ffffb5c4de34</id>
- <name>Add rrname_domain++</name>
- <position x="1056.0" y="568.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.UpdateRecord</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>record-reader</name>
- <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
- </property>
- <property>
- <name>record-writer</name>
- <value>17b30955-5464-3709-8a32-69a459850cfa</value>
- </property>
- <property>
- <name>replacement-value-strategy</name>
- <value>literal-value</value>
- </property>
- <property>
- <name>/dns/rrname_domain</name>
- <value>${field.value:substringBeforeLast('.'):substringAfterLast('.'):append(${field.value:substringAfterLast('.'):prepend('.')})}</value>
- </property>
- <property>
- <name>/dns/rrname_length</name>
- <value>${field.value:length():toNumber()}</value>
- </property>
- <property>
- <name>/dns/rrname_domain_length</name>
- <value>${field.value:substringBeforeLast('.'):substringAfterLast('.'):append(${field.value:substringAfterLast('.'):prepend('.')}):length():toNumber()}</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
- <processor>
- <id>8d312ef9-0175-1000-ffff-fffff23bbb0c</id>
- <name>Route on DNS type</name>
- <position x="1056.0" y="128.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.RouteOnAttribute</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>Routing Strategy</name>
- <value>Route to Property name</value>
- </property>
- <property>
- <name>answer</name>
- <value>${type:contains("answer")}</value>
- </property>
- </processor>
- <processor>
- <id>8d2262f6-0175-1000-0000-000029eaa6ef</id>
- <name>Partition on dns message type</name>
- <position x="432.0" y="136.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.PartitionRecord</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>record-reader</name>
- <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
- </property>
- <property>
- <name>record-writer</name>
- <value>17b30955-5464-3709-8a32-69a459850cfa</value>
- </property>
- <property>
- <name>type</name>
- <value>/dns/type</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- <autoTerminatedRelationship>original</autoTerminatedRelationship>
- </processor>
- <processor>
- <id>8d36474f-0175-1000-0000-00003a8dd2d0</id>
- <name>UpdateAttribute</name>
- <position x="1056.0" y="768.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.attributes.UpdateAttribute</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-update-attribute-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>Delete Attributes Expression</name>
- </property>
- <property>
- <name>Store State</name>
- <value>Do not store state</value>
- </property>
- <property>
- <name>Stateful Variables Initial Value</name>
- </property>
- <property>
- <name>canonical-value-lookup-cache-size</name>
- <value>100</value>
- </property>
- <property>
- <name>enrich_domain1</name>
- <value>/dns/rrname_domain</value>
- </property>
- <property>
- <name>enrich_fqdn1</name>
- <value>/dns/rrname</value>
- </property>
- </processor>
- <processor>
- <id>8d34409e-0175-1000-ffff-ffff99eb371d</id>
- <name>Extract rrname_domain++</name>
- <position x="1056.0" y="368.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.UpdateRecord</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>record-reader</name>
- <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
- </property>
- <property>
- <name>record-writer</name>
- <value>17b30955-5464-3709-8a32-69a459850cfa</value>
- </property>
- <property>
- <name>replacement-value-strategy</name>
- <value>literal-value</value>
- </property>
- <property>
- <name>/dns/rrname_domain</name>
- <value>/dns/rrname</value>
- </property>
- <property>
- <name>/dns/rrname_length</name>
- <value>/dns/rrname</value>
- </property>
- <property>
- <name>/dns/rrname_domain_length</name>
- <value>/dns/rrname</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
- <inputPort>
- <id>8d212c22-0175-1000-ffff-fffffbc39157</id>
- <name>Input</name>
- <position x="488.0" y="0.0" />
- <comments />
- <scheduledState>RUNNING</scheduledState>
- </inputPort>
- <outputPort>
- <id>8d211b58-0175-1000-0000-000003eb5f3b</id>
- <name>Output</name>
- <position x="448.0" y="808.0" />
- <comments />
- <scheduledState>RUNNING</scheduledState>
- </outputPort>
- <connection>
- <id>8d3979b7-0175-1000-ffff-ffffe2efe898</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>8d37fe91-0175-1000-ffff-ffffb5c4de34</sourceId>
- <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>8d36474f-0175-1000-0000-00003a8dd2d0</destinationId>
- <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>8d3afc9a-0175-1000-ffff-ffffe1ef144c</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>8d36474f-0175-1000-0000-00003a8dd2d0</sourceId>
- <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>8d211b58-0175-1000-0000-000003eb5f3b</destinationId>
- <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
- <destinationType>OUTPUT_PORT</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>8d30f240-0175-1000-ffff-ffffa4cc8a58</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>8d212c22-0175-1000-ffff-fffffbc39157</sourceId>
- <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
- <sourceType>INPUT_PORT</sourceType>
- <destinationId>8d2262f6-0175-1000-0000-000029eaa6ef</destinationId>
- <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship />
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>8d3b1d93-0175-1000-ffff-ffffe953d6b9</id>
- <name />
- <bendPoints>
- <bendPoint x="568.0" y="400.0" />
- </bendPoints>
- <labelIndex>0</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>8d312ef9-0175-1000-ffff-fffff23bbb0c</sourceId>
- <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>8d211b58-0175-1000-0000-000003eb5f3b</destinationId>
- <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
- <destinationType>OUTPUT_PORT</destinationType>
- <relationship>unmatched</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>8d3821ce-0175-1000-0000-000046a72d11</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>8d34409e-0175-1000-ffff-ffff99eb371d</sourceId>
- <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>8d37fe91-0175-1000-ffff-ffffb5c4de34</destinationId>
- <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>8d3281c3-0175-1000-ffff-ffffed50fa50</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>8d2262f6-0175-1000-0000-000029eaa6ef</sourceId>
- <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>8d312ef9-0175-1000-ffff-fffff23bbb0c</destinationId>
- <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>8d3485f4-0175-1000-0000-0000175959ff</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>8d312ef9-0175-1000-ffff-fffff23bbb0c</sourceId>
- <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>8d34409e-0175-1000-ffff-ffff99eb371d</destinationId>
- <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>answer</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- </processGroup>
<connection>
- <id>349b32bb-a821-1197-ffff-ffff81dc7ff2</id>
+ <id>14453eaa-7646-1485-0000-000070b97065</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>14453e90-7646-1485-ffff-ffff81f3c683</sourceId>
+ <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>92693a34-99da-1004-adfb-bdf4aa7e1c30</destinationId>
+ <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>e43535a1-23e9-15af-9f98-2061dd6f97d6</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>92693a34-99da-1004-adfb-bdf4aa7e1c30</sourceId>
+ <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>50813f6b-a5f6-1a98-8ae4-115134714332</destinationId>
+ <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>70e77065-0176-1000-0000-00001479fdf4</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>e0bd3907-2d13-1407-b2dd-48591e65e59d</sourceId>
+ <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>48723b8e-fae0-14e6-afdc-85c239646dc0</destinationId>
+ <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>cf95350a-de6c-1a4b-8183-8f9cfa11449a</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>7f683020-779c-1bc9-85da-5bad079d5d9d</sourceId>
+ <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceType>INPUT_PORT</sourceType>
+ <destinationId>f92d3f77-958a-1344-bd3b-7c93457e5c12</destinationId>
+ <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship />
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>14453fcf-7646-1485-ffff-ffff952df142</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>e4353681-23e9-15af-0000-000032ea35e3</sourceId>
+ <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>14453e90-7646-1485-ffff-ffff81f3c683</destinationId>
+ <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>audit</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>3e21311d-dc5c-143f-b39e-d8fb8c9fd36d</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>50813f6b-a5f6-1a98-8ae4-115134714332</sourceId>
+ <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>48723b8e-fae0-14e6-afdc-85c239646dc0</destinationId>
+ <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>14453a4b-7646-1485-ffff-fffffc8f5285</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>e4353681-23e9-15af-0000-000032ea35e3</sourceId>
+ <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>14453a41-7646-1485-b398-28f819de4a45</destinationId>
+ <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>unmatched</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>7fe931b3-82b3-1699-b49a-d380dd14a5b8</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>48723b8e-fae0-14e6-afdc-85c239646dc0</sourceId>
+ <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>bcbb33ba-112e-1f53-8982-d5ae9f0e701f</destinationId>
+ <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationType>OUTPUT_PORT</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>a35e3744-5906-1ee9-abc4-205356ca01d1</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>8d1bef35-0175-1000-0000-0000746fa33d</sourceId>
- <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
+ <sourceId>f92d3f77-958a-1344-bd3b-7c93457e5c12</sourceId>
+ <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>92795a59-0175-1000-ffff-ffff89bc5f21</destinationId>
- <destinationGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</destinationGroupId>
- <destinationType>INPUT_PORT</destinationType>
- <relationship>tls</relationship>
+ <destinationId>e4353681-23e9-15af-0000-000032ea35e3</destinationId>
+ <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>70e8f3cb-0176-1000-0000-00006d2cdbf5</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>14453a41-7646-1485-b398-28f819de4a45</sourceId>
+ <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>e0bd3907-2d13-1407-b2dd-48591e65e59d</destinationId>
+ <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
@@ -5726,17 +5767,257 @@
<partitioningAttribute />
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
+ </processGroup>
+ <processGroup>
+ <id>355e3dc3-4da9-1443-ae3b-b6556e6a180a</id>
+ <name>Misp</name>
+ <position x="-432.0" y="64.0" />
+ <comment />
+ <flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
+ <flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
+ <processor>
+ <id>71a77f51-0177-1000-ffff-ffffeb9d4168</id>
+ <name>Normalize fields</name>
+ <position x="352.0" y="664.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.JoltTransformJSON</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>jolt-transform</name>
+ <value>jolt-transform-chain</value>
+ </property>
+ <property>
+ <name>jolt-custom-class</name>
+ </property>
+ <property>
+ <name>jolt-custom-modules</name>
+ </property>
+ <property>
+ <name>jolt-spec</name>
+ <value>[
+ {
+ "operation": "shift",
+ "spec": {
+ "*": {
+ "clientip": "[&1].client.ip",
+ "*": "[&1].&"
+ }
+ }
+ }
+]
+</value>
+ </property>
+ <property>
+ <name>Transform Cache Size</name>
+ <value>1</value>
+ </property>
+ <property>
+ <name>pretty_print</name>
+ <value>false</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>cc0b3611-49bf-115a-a4d1-ab5036347e20</id>
+ <name>UpdateRecord</name>
+ <position x="352.0" y="472.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.UpdateRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>record-reader</name>
+ <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
+ </property>
+ <property>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
+ </property>
+ <property>
+ <name>replacement-value-strategy</name>
+ <value>literal-value</value>
+ </property>
+ <property>
+ <name>/labels/source_host</name>
+ <value>${source_host}</value>
+ </property>
+ <property>
+ <name>/timestamp</name>
+ <value>${field.value:toDate('dd/MMM/yyyy:HH:mm:ss Z'):format("yyyy-MM-dd'T'HH:mm:ss.SSSXXX")}</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>93ce3822-d539-1701-856c-f98a3dc4f52a</id>
+ <name>Extract message</name>
+ <position x="352.0" y="280.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.ConvertRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>record-reader</name>
+ <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
+ </property>
+ <property>
+ <name>record-writer</name>
+ <value>bc8e5957-0175-1000-0000-00003346421d</value>
+ </property>
+ <property>
+ <name>include-zero-record-flowfiles</name>
+ <value>true</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>62a93b2c-fbcd-1f70-9575-37b82d7cbd85</id>
+ <name>Convert to json</name>
+ <position x="1064.0" y="272.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.ConvertRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>record-reader</name>
+ <value>71940755-0177-1000-0000-0000489cb88a</value>
+ </property>
+ <property>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
+ </property>
+ <property>
+ <name>include-zero-record-flowfiles</name>
+ <value>false</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>abc93fdf-35f1-171d-9026-bd57fcdafaf3</id>
+ <name>UpdateAttribute</name>
+ <position x="1072.0" y="472.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.attributes.UpdateAttribute</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-update-attribute-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>Delete Attributes Expression</name>
+ </property>
+ <property>
+ <name>Store State</name>
+ <value>Do not store state</value>
+ </property>
+ <property>
+ <name>Stateful Variables Initial Value</name>
+ </property>
+ <property>
+ <name>canonical-value-lookup-cache-size</name>
+ <value>100</value>
+ </property>
+ <property>
+ <name>data_index</name>
+ <value>logs-misp</value>
+ </property>
+ <property>
+ <name>enrich_ip1</name>
+ <value>/client/ip</value>
+ </property>
+ </processor>
+ <inputPort>
+ <id>de3b3084-16ab-1800-bad8-48890ca0526b</id>
+ <name>Input</name>
+ <position x="397.9999517774115" y="110.99999315685733" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </inputPort>
+ <outputPort>
+ <id>847a3472-7bdb-1823-8c6f-7b72bc6acc95</id>
+ <name>Output</name>
+ <position x="400.0" y="896.0" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </outputPort>
<connection>
- <id>8d19c8d7-0175-1000-ffff-ffffe3aa385d</id>
+ <id>9b7e3cb7-09df-199e-8b45-3697bd17f102</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>1a038948-9e9a-3523-b899-990077bfd575</sourceId>
- <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
+ <sourceId>62a93b2c-fbcd-1f70-9575-37b82d7cbd85</sourceId>
+ <sourceGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>46cdd7aa-91f0-307c-90aa-65747e558f25</destinationId>
- <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
+ <destinationId>cc0b3611-49bf-115a-a4d1-ab5036347e20</destinationId>
+ <destinationGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</destinationGroupId>
<destinationType>PROCESSOR</destinationType>
<relationship>success</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
@@ -5747,36 +6028,16 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>8d13df9c-0175-1000-0000-0000562b802e</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>8d13c952-0175-1000-0000-00007e8f4cae</sourceId>
- <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
- <sourceType>INPUT_PORT</sourceType>
- <destinationId>24e1d8ed-10f4-3b46-958c-f2fb676e3192</destinationId>
- <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship />
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>f9a8aee6-502f-3eb9-8806-8964276d4ca0</id>
+ <id>71a88c5a-0177-1000-ffff-ffffb72c3649</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>24e1d8ed-10f4-3b46-958c-f2fb676e3192</sourceId>
- <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
+ <sourceId>abc93fdf-35f1-171d-9026-bd57fcdafaf3</sourceId>
+ <sourceGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>1a038948-9e9a-3523-b899-990077bfd575</destinationId>
- <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
+ <destinationId>71a77f51-0177-1000-ffff-ffffeb9d4168</destinationId>
+ <destinationGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</destinationGroupId>
<destinationType>PROCESSOR</destinationType>
<relationship>success</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
@@ -5787,36 +6048,16 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>8d2364b0-0175-1000-ffff-ffffa2a4601f</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>8d1bef35-0175-1000-0000-0000746fa33d</sourceId>
- <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>8d212c22-0175-1000-ffff-fffffbc39157</destinationId>
- <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
- <destinationType>INPUT_PORT</destinationType>
- <relationship>dns</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>8d1a6818-0175-1000-ffff-ffffeebd7e98</id>
+ <id>72813511-270c-1349-89ee-646d39f457d6</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>46cdd7aa-91f0-307c-90aa-65747e558f25</sourceId>
- <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
+ <sourceId>cc0b3611-49bf-115a-a4d1-ab5036347e20</sourceId>
+ <sourceGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>fd6b6513-51f8-3a96-a764-13bd39ec7f84</destinationId>
- <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
+ <destinationId>abc93fdf-35f1-171d-9026-bd57fcdafaf3</destinationId>
+ <destinationGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</destinationGroupId>
<destinationType>PROCESSOR</destinationType>
<relationship>success</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
@@ -5827,18 +6068,18 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>349b32e1-a821-1197-0000-00000d7cca30</id>
+ <id>71ac38fe-0177-1000-0000-00007c798b8b</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>349b32d8-a821-1197-0000-000025a75a3b</sourceId>
- <sourceGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</sourceGroupId>
- <sourceType>OUTPUT_PORT</sourceType>
- <destinationId>055308a4-d020-39a9-9da4-b165796ef717</destinationId>
- <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
+ <sourceId>71a77f51-0177-1000-ffff-ffffeb9d4168</sourceId>
+ <sourceGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>847a3472-7bdb-1823-8c6f-7b72bc6acc95</destinationId>
+ <destinationGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</destinationGroupId>
<destinationType>OUTPUT_PORT</destinationType>
- <relationship />
+ <relationship>success</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
@@ -5847,16 +6088,16 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>8d1c1701-0175-1000-ffff-fffff7364622</id>
+ <id>cea53188-df28-1b8f-bfd2-b730a8225016</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>fd6b6513-51f8-3a96-a764-13bd39ec7f84</sourceId>
- <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
+ <sourceId>93ce3822-d539-1701-856c-f98a3dc4f52a</sourceId>
+ <sourceGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>8d1bef35-0175-1000-0000-0000746fa33d</destinationId>
- <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
+ <destinationId>62a93b2c-fbcd-1f70-9575-37b82d7cbd85</destinationId>
+ <destinationGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</destinationGroupId>
<destinationType>PROCESSOR</destinationType>
<relationship>success</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
@@ -5867,39 +6108,17 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>9266feff-0175-1000-ffff-ffff8c7d68c1</id>
- <name />
- <bendPoints>
- <bendPoint x="-1208.0" y="952.0" />
- </bendPoints>
- <labelIndex>0</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>8d1bef35-0175-1000-0000-0000746fa33d</sourceId>
- <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>055308a4-d020-39a9-9da4-b165796ef717</destinationId>
- <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
- <destinationType>OUTPUT_PORT</destinationType>
- <relationship>unmatched</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>9266e0c5-0175-1000-0000-00006aafc0f8</id>
+ <id>80533dda-2279-1f53-a1c5-b34f077db076</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>8d211b58-0175-1000-0000-000003eb5f3b</sourceId>
- <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
- <sourceType>OUTPUT_PORT</sourceType>
- <destinationId>055308a4-d020-39a9-9da4-b165796ef717</destinationId>
- <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
- <destinationType>OUTPUT_PORT</destinationType>
+ <sourceId>de3b3084-16ab-1800-bad8-48890ca0526b</sourceId>
+ <sourceGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</sourceGroupId>
+ <sourceType>INPUT_PORT</sourceType>
+ <destinationId>93ce3822-d539-1701-856c-f98a3dc4f52a</destinationId>
+ <destinationGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
<relationship />
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
@@ -5910,120 +6129,19 @@
</connection>
</processGroup>
<processGroup>
- <id>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</id>
- <name>Mysql</name>
- <position x="-440.0" y="1272.0" />
+ <id>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</id>
+ <name>Suricata</name>
+ <position x="-448.0" y="264.0" />
<comment />
<flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
<flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
<processor>
- <id>14453e90-7646-1485-ffff-ffff81f3c683</id>
- <name>Add header</name>
- <position x="344.0" y="-8.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.ReplaceText</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>Regular Expression</name>
- <value>(?s)(^.*$)</value>
- </property>
- <property>
- <name>Replacement Value</name>
- <value>timestamp,serverhost,username,host,connectionid,queryid,operation,database,object,retcode
-</value>
- </property>
- <property>
- <name>Character Set</name>
- <value>UTF-8</value>
- </property>
- <property>
- <name>Maximum Buffer Size</name>
- <value>1 MB</value>
- </property>
- <property>
- <name>Replacement Strategy</name>
- <value>Prepend</value>
- </property>
- <property>
- <name>Evaluation Mode</name>
- <value>Entire text</value>
- </property>
- <property>
- <name>Line-by-Line Evaluation Mode</name>
- <value>All</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
- <processor>
- <id>e0bd3907-2d13-1407-b2dd-48591e65e59d</id>
- <name>UpdateRecord</name>
- <position x="-336.0" y="416.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.UpdateRecord</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>record-reader</name>
- <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
- </property>
- <property>
- <name>record-writer</name>
- <value>17b30955-5464-3709-8a32-69a459850cfa</value>
- </property>
- <property>
- <name>replacement-value-strategy</name>
- <value>literal-value</value>
- </property>
- <property>
- <name>/event_type</name>
- <value>log</value>
- </property>
- <property>
- <name>/labels/source_host</name>
- <value>${source_host}</value>
- </property>
- <property>
- <name>/timestamp</name>
- <value>${field.value:toDate('yyMMdd HH:mm:ss'):format("yyyy-MM-dd'T'HH:mm:ss.SSSXXX")}</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
- <processor>
- <id>50813f6b-a5f6-1a98-8ae4-115134714332</id>
- <name>UpdateRecord</name>
- <position x="352.0" y="472.0" />
+ <id>8d1bef35-0175-1000-0000-0000746fa33d</id>
+ <name>RouteOnAttribute</name>
+ <position x="-984.0" y="640.0" />
<styles />
<comment />
- <class>org.apache.nifi.processors.standard.UpdateRecord</class>
+ <class>org.apache.nifi.processors.standard.RouteOnAttribute</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
@@ -6040,38 +6158,25 @@
<executionNode>ALL</executionNode>
<runDurationNanos>0</runDurationNanos>
<property>
- <name>record-reader</name>
- <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
- </property>
- <property>
- <name>record-writer</name>
- <value>17b30955-5464-3709-8a32-69a459850cfa</value>
- </property>
- <property>
- <name>replacement-value-strategy</name>
- <value>literal-value</value>
- </property>
- <property>
- <name>/event_type</name>
- <value>audit</value>
+ <name>Routing Strategy</name>
+ <value>Route to Property name</value>
</property>
<property>
- <name>/labels/source_host</name>
- <value>${source_host}</value>
+ <name>dns</name>
+ <value>${event_type:equals("dns")}</value>
</property>
<property>
- <name>/timestamp</name>
- <value>${field.value:toDate('yyyyMMdd HH:mm:ss'):format("yyyy-MM-dd'T'HH:mm:ss.SSSXXX")}</value>
+ <name>tls</name>
+ <value>${event_type:equals("tls")}</value>
</property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
</processor>
<processor>
- <id>e4353681-23e9-15af-0000-000032ea35e3</id>
- <name>RouteOnAttribute</name>
- <position x="-352.0" y="0.0" />
+ <id>24e1d8ed-10f4-3b46-958c-f2fb676e3192</id>
+ <name>Normalize fields</name>
+ <position x="-987.5658863682004" y="234.96963460665665" />
<styles />
<comment />
- <class>org.apache.nifi.processors.standard.RouteOnAttribute</class>
+ <class>org.apache.nifi.processors.standard.JoltTransformJSON</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
@@ -6088,21 +6193,60 @@
<executionNode>ALL</executionNode>
<runDurationNanos>0</runDurationNanos>
<property>
- <name>Routing Strategy</name>
- <value>Route to Property name</value>
+ <name>jolt-transform</name>
+ <value>jolt-transform-chain</value>
</property>
<property>
- <name>audit</name>
- <value>${source_file:contains("audit")}</value>
+ <name>jolt-custom-class</name>
+ </property>
+ <property>
+ <name>jolt-custom-modules</name>
+ </property>
+ <property>
+ <name>jolt-spec</name>
+ <value>[{
+ "operation": "shift",
+ "spec": {
+ "*": {
+ "json": {
+ "*": "[&2].&"
+ },
+ "host": {
+ "name": "[&2].labels.source_host"
+ },
+ "source": "[&1].labels.source"
+ }
+ }
+}, {
+ "operation": "shift",
+ "spec": {
+ "*": {
+ "dest_ip":"[&1].destination.ip",
+ "dest_port":"[&1].destination.port",
+ "src_ip":"[&1].source.ip",
+ "src_port":"[&1].source.port",
+ "*": "[&1].&"
+ }
+ }
+}]</value>
+ </property>
+ <property>
+ <name>Transform Cache Size</name>
+ <value>1</value>
+ </property>
+ <property>
+ <name>pretty_print</name>
+ <value>false</value>
</property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
</processor>
<processor>
- <id>f92d3f77-958a-1344-bd3b-7c93457e5c12</id>
- <name>Extract message</name>
- <position x="-360.0" y="-216.0" />
+ <id>fd6b6513-51f8-3a96-a764-13bd39ec7f84</id>
+ <name>Partition records based on event_type</name>
+ <position x="-382.59400260581754" y="446.9900134408068" />
<styles />
<comment />
- <class>org.apache.nifi.processors.standard.ConvertRecord</class>
+ <class>org.apache.nifi.processors.standard.PartitionRecord</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
@@ -6124,21 +6268,22 @@
</property>
<property>
<name>record-writer</name>
- <value>bc8e5957-0175-1000-0000-00003346421d</value>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
</property>
<property>
- <name>include-zero-record-flowfiles</name>
- <value>true</value>
+ <name>event_type</name>
+ <value>/event_type</value>
</property>
<autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ <autoTerminatedRelationship>original</autoTerminatedRelationship>
</processor>
<processor>
- <id>92693a34-99da-1004-adfb-bdf4aa7e1c30</id>
- <name>Convert to json</name>
- <position x="352.0" y="240.0" />
+ <id>1a038948-9e9a-3523-b899-990077bfd575</id>
+ <name>Convert timestamp</name>
+ <position x="-385.7461824498648" y="233.13395543765722" />
<styles />
<comment />
- <class>org.apache.nifi.processors.standard.ConvertRecord</class>
+ <class>org.apache.nifi.processors.standard.UpdateRecord</class>
<bundle>
<group>org.apache.nifi</group>
<artifact>nifi-standard-nar</artifact>
@@ -6156,22 +6301,34 @@
<runDurationNanos>0</runDurationNanos>
<property>
<name>record-reader</name>
- <value>14453a95-7646-1485-0000-00002c675762</value>
+ <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
</property>
<property>
<name>record-writer</name>
<value>17b30955-5464-3709-8a32-69a459850cfa</value>
</property>
<property>
- <name>include-zero-record-flowfiles</name>
- <value>false</value>
+ <name>replacement-value-strategy</name>
+ <value>literal-value</value>
+ </property>
+ <property>
+ <name>/TLP</name>
+ <value>AMBER</value>
+ </property>
+ <property>
+ <name>/mime.type</name>
+ <value>application/json</value>
+ </property>
+ <property>
+ <name>/timestamp</name>
+ <value>${field.value:replaceFirst('\+(\d\d)(\d\d)','+$1:$2')}</value>
</property>
<autoTerminatedRelationship>failure</autoTerminatedRelationship>
</processor>
<processor>
- <id>48723b8e-fae0-14e6-afdc-85c239646dc0</id>
- <name>UpdateAttribute</name>
- <position x="-320.0" y="648.0" />
+ <id>46cdd7aa-91f0-307c-90aa-65747e558f25</id>
+ <name>Add attributes</name>
+ <position x="-984.0" y="456.0" />
<styles />
<comment />
<class>org.apache.nifi.processors.attributes.UpdateAttribute</class>
@@ -6204,78 +6361,674 @@
<name>canonical-value-lookup-cache-size</name>
<value>100</value>
</property>
+ <property>
+ <name>data_id</name>
+ <value>suricata-${event_type}</value>
+ </property>
<property>
<name>data_index</name>
- <value>logs-mysql</value>
+ <value>logs-${beats.sender:substringBeforeLast('/'):substringBeforeLast('.'):substringAfterLast('.')}-suricata-${event_type}</value>
+ </property>
+ <property>
+ <name>data_type</name>
+ <value>suricata</value>
+ </property>
+ <property>
+ <name>enrich_ip2</name>
+ <value>/destination/ip</value>
</property>
<property>
<name>enrich_ip1</name>
- <value>/client.ip</value>
+ <value>/source/ip</value>
+ </property>
+ <property>
+ <name>TLP</name>
+ <value>AMBER</value>
</property>
</processor>
- <processor>
- <id>14453a41-7646-1485-b398-28f819de4a45</id>
- <name>Convert to json</name>
- <position x="-336.0" y="200.0" />
- <styles />
+ <inputPort>
+ <id>8d13c952-0175-1000-0000-00007e8f4cae</id>
+ <name>Input</name>
+ <position x="-928.0" y="16.0" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </inputPort>
+ <outputPort>
+ <id>055308a4-d020-39a9-9da4-b165796ef717</id>
+ <name>To enrichment</name>
+ <position x="-928.0" y="1208.0" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </outputPort>
+ <processGroup>
+ <id>8d1afcd0-0175-1000-ffff-ffffb3690a74</id>
+ <name>TLS events</name>
+ <position x="-384.0" y="872.0" />
+ <comment />
+ <flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
+ <flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
+ <processor>
+ <id>9279850b-0175-1000-0000-00001e74d182</id>
+ <name>Copy SNI</name>
+ <position x="504.0" y="320.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.UpdateRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>record-reader</name>
+ <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
+ </property>
+ <property>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
+ </property>
+ <property>
+ <name>replacement-value-strategy</name>
+ <value>record-path-value</value>
+ </property>
+ <property>
+ <name>/tls/sni_length</name>
+ <value>/tls/sni</value>
+ </property>
+ <property>
+ <name>/tls/sni_domain_length</name>
+ <value>/tls/sni</value>
+ </property>
+ <property>
+ <name>/tls/sni_domain</name>
+ <value>/tls/sni</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>349b3279-a821-1197-aaa6-7e5472dccbef</id>
+ <name>Add sni_domain ++</name>
+ <position x="504.0" y="544.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.UpdateRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>record-reader</name>
+ <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
+ </property>
+ <property>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
+ </property>
+ <property>
+ <name>replacement-value-strategy</name>
+ <value>literal-value</value>
+ </property>
+ <property>
+ <name>/tls/sni_length</name>
+ <value>${field.value:length():toNumber()}</value>
+ </property>
+ <property>
+ <name>/tls/sni_domain_length</name>
+ <value>${field.value:substringBeforeLast('.'):substringAfterLast('.'):append(${field.value:substringAfterLast('.'):prepend('.')}):length():toNumber()}</value>
+ </property>
+ <property>
+ <name>/tls/sni_domain</name>
+ <value>${field.value:substringBeforeLast('.'):substringAfterLast('.'):append(${field.value:substringAfterLast('.'):prepend('.')})}</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>349b3291-a821-1197-0000-000032560c6a</id>
+ <name>Specify enrichment fields</name>
+ <position x="504.0" y="752.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.attributes.UpdateAttribute</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-update-attribute-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>Delete Attributes Expression</name>
+ </property>
+ <property>
+ <name>Store State</name>
+ <value>Do not store state</value>
+ </property>
+ <property>
+ <name>Stateful Variables Initial Value</name>
+ </property>
+ <property>
+ <name>canonical-value-lookup-cache-size</name>
+ <value>100</value>
+ </property>
+ <property>
+ <name>enrich_domain1</name>
+ <value>/tls/sni_domain</value>
+ </property>
+ <property>
+ <name>enrich_fqdn1</name>
+ <value>/tls/sni</value>
+ </property>
+ </processor>
+ <inputPort>
+ <id>92795a59-0175-1000-ffff-ffff89bc5f21</id>
+ <name>Input</name>
+ <position x="552.9999060626994" y="144.00001181679164" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </inputPort>
+ <outputPort>
+ <id>349b32d8-a821-1197-0000-000025a75a3b</id>
+ <name>Output</name>
+ <position x="552.0" y="976.0" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </outputPort>
+ <connection>
+ <id>9279996e-0175-1000-0000-000037fbed8b</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>92795a59-0175-1000-ffff-ffff89bc5f21</sourceId>
+ <sourceGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</sourceGroupId>
+ <sourceType>INPUT_PORT</sourceType>
+ <destinationId>9279850b-0175-1000-0000-00001e74d182</destinationId>
+ <destinationGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship />
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>349b3297-a821-1197-0000-0000717807b6</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>349b3279-a821-1197-aaa6-7e5472dccbef</sourceId>
+ <sourceGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>349b3291-a821-1197-0000-000032560c6a</destinationId>
+ <destinationGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>349b327f-a821-1197-ffff-ffff8946a863</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>9279850b-0175-1000-0000-00001e74d182</sourceId>
+ <sourceGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>349b3279-a821-1197-aaa6-7e5472dccbef</destinationId>
+ <destinationGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>349b32da-a821-1197-0000-000047979e25</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>349b3291-a821-1197-0000-000032560c6a</sourceId>
+ <sourceGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>349b32d8-a821-1197-0000-000025a75a3b</destinationId>
+ <destinationGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</destinationGroupId>
+ <destinationType>OUTPUT_PORT</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ </processGroup>
+ <processGroup>
+ <id>8d1ad21f-0175-1000-0000-00003c540411</id>
+ <name>DNS events</name>
+ <position x="-1000.0" y="872.0" />
<comment />
- <class>org.apache.nifi.processors.standard.ConvertRecord</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>record-reader</name>
- <value>70ea12d7-0176-1000-ffff-ffffee2ee306</value>
- </property>
- <property>
- <name>record-writer</name>
- <value>17b30955-5464-3709-8a32-69a459850cfa</value>
- </property>
- <property>
- <name>include-zero-record-flowfiles</name>
- <value>false</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
- <inputPort>
- <id>7f683020-779c-1bc9-85da-5bad079d5d9d</id>
- <name>Input</name>
- <position x="-312.0" y="-336.0" />
- <comments />
- <scheduledState>RUNNING</scheduledState>
- </inputPort>
- <outputPort>
- <id>bcbb33ba-112e-1f53-8982-d5ae9f0e701f</id>
- <name>Output</name>
- <position x="-256.0" y="960.0" />
- <comments />
- <scheduledState>RUNNING</scheduledState>
- </outputPort>
+ <flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
+ <flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
+ <processor>
+ <id>8d37fe91-0175-1000-ffff-ffffb5c4de34</id>
+ <name>Add rrname_domain++</name>
+ <position x="1056.0" y="568.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.UpdateRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>record-reader</name>
+ <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
+ </property>
+ <property>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
+ </property>
+ <property>
+ <name>replacement-value-strategy</name>
+ <value>literal-value</value>
+ </property>
+ <property>
+ <name>/dns/rrname_domain</name>
+ <value>${field.value:substringBeforeLast('.'):substringAfterLast('.'):append(${field.value:substringAfterLast('.'):prepend('.')})}</value>
+ </property>
+ <property>
+ <name>/dns/rrname_length</name>
+ <value>${field.value:length():toNumber()}</value>
+ </property>
+ <property>
+ <name>/dns/rrname_domain_length</name>
+ <value>${field.value:substringBeforeLast('.'):substringAfterLast('.'):append(${field.value:substringAfterLast('.'):prepend('.')}):length():toNumber()}</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>8d312ef9-0175-1000-ffff-fffff23bbb0c</id>
+ <name>Route on DNS type</name>
+ <position x="1056.0" y="128.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.RouteOnAttribute</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>Routing Strategy</name>
+ <value>Route to Property name</value>
+ </property>
+ <property>
+ <name>answer</name>
+ <value>${type:contains("answer")}</value>
+ </property>
+ </processor>
+ <processor>
+ <id>8d2262f6-0175-1000-0000-000029eaa6ef</id>
+ <name>Partition on dns message type</name>
+ <position x="432.0" y="136.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.PartitionRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>record-reader</name>
+ <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
+ </property>
+ <property>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
+ </property>
+ <property>
+ <name>type</name>
+ <value>/dns/type</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ <autoTerminatedRelationship>original</autoTerminatedRelationship>
+ </processor>
+ <processor>
+ <id>8d36474f-0175-1000-0000-00003a8dd2d0</id>
+ <name>UpdateAttribute</name>
+ <position x="1056.0" y="768.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.attributes.UpdateAttribute</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-update-attribute-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>Delete Attributes Expression</name>
+ </property>
+ <property>
+ <name>Store State</name>
+ <value>Do not store state</value>
+ </property>
+ <property>
+ <name>Stateful Variables Initial Value</name>
+ </property>
+ <property>
+ <name>canonical-value-lookup-cache-size</name>
+ <value>100</value>
+ </property>
+ <property>
+ <name>enrich_domain1</name>
+ <value>/dns/rrname_domain</value>
+ </property>
+ <property>
+ <name>enrich_fqdn1</name>
+ <value>/dns/rrname</value>
+ </property>
+ </processor>
+ <processor>
+ <id>8d34409e-0175-1000-ffff-ffff99eb371d</id>
+ <name>Extract rrname_domain++</name>
+ <position x="1056.0" y="368.0" />
+ <styles />
+ <comment />
+ <class>org.apache.nifi.processors.standard.UpdateRecord</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-standard-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <maxConcurrentTasks>1</maxConcurrentTasks>
+ <schedulingPeriod>0 sec</schedulingPeriod>
+ <penalizationPeriod>30 sec</penalizationPeriod>
+ <yieldPeriod>1 sec</yieldPeriod>
+ <bulletinLevel>WARN</bulletinLevel>
+ <lossTolerant>false</lossTolerant>
+ <scheduledState>RUNNING</scheduledState>
+ <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
+ <executionNode>ALL</executionNode>
+ <runDurationNanos>0</runDurationNanos>
+ <property>
+ <name>record-reader</name>
+ <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
+ </property>
+ <property>
+ <name>record-writer</name>
+ <value>17b30955-5464-3709-8a32-69a459850cfa</value>
+ </property>
+ <property>
+ <name>replacement-value-strategy</name>
+ <value>literal-value</value>
+ </property>
+ <property>
+ <name>/dns/rrname_domain</name>
+ <value>/dns/rrname</value>
+ </property>
+ <property>
+ <name>/dns/rrname_length</name>
+ <value>/dns/rrname</value>
+ </property>
+ <property>
+ <name>/dns/rrname_domain_length</name>
+ <value>/dns/rrname</value>
+ </property>
+ <autoTerminatedRelationship>failure</autoTerminatedRelationship>
+ </processor>
+ <inputPort>
+ <id>8d212c22-0175-1000-ffff-fffffbc39157</id>
+ <name>Input</name>
+ <position x="488.0" y="0.0" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </inputPort>
+ <outputPort>
+ <id>8d211b58-0175-1000-0000-000003eb5f3b</id>
+ <name>Output</name>
+ <position x="448.0" y="808.0" />
+ <comments />
+ <scheduledState>RUNNING</scheduledState>
+ </outputPort>
+ <connection>
+ <id>8d3979b7-0175-1000-ffff-ffffe2efe898</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>8d37fe91-0175-1000-ffff-ffffb5c4de34</sourceId>
+ <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>8d36474f-0175-1000-0000-00003a8dd2d0</destinationId>
+ <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>8d3afc9a-0175-1000-ffff-ffffe1ef144c</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>8d36474f-0175-1000-0000-00003a8dd2d0</sourceId>
+ <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>8d211b58-0175-1000-0000-000003eb5f3b</destinationId>
+ <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
+ <destinationType>OUTPUT_PORT</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>8d30f240-0175-1000-ffff-ffffa4cc8a58</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>8d212c22-0175-1000-ffff-fffffbc39157</sourceId>
+ <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
+ <sourceType>INPUT_PORT</sourceType>
+ <destinationId>8d2262f6-0175-1000-0000-000029eaa6ef</destinationId>
+ <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship />
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>8d3b1d93-0175-1000-ffff-ffffe953d6b9</id>
+ <name />
+ <bendPoints>
+ <bendPoint x="568.0" y="400.0" />
+ </bendPoints>
+ <labelIndex>0</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>8d312ef9-0175-1000-ffff-fffff23bbb0c</sourceId>
+ <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>8d211b58-0175-1000-0000-000003eb5f3b</destinationId>
+ <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
+ <destinationType>OUTPUT_PORT</destinationType>
+ <relationship>unmatched</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>8d3821ce-0175-1000-0000-000046a72d11</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>8d34409e-0175-1000-ffff-ffff99eb371d</sourceId>
+ <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>8d37fe91-0175-1000-ffff-ffffb5c4de34</destinationId>
+ <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>8d3281c3-0175-1000-ffff-ffffed50fa50</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>8d2262f6-0175-1000-0000-000029eaa6ef</sourceId>
+ <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>8d312ef9-0175-1000-ffff-fffff23bbb0c</destinationId>
+ <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>success</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>8d3485f4-0175-1000-0000-0000175959ff</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>8d312ef9-0175-1000-ffff-fffff23bbb0c</sourceId>
+ <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>8d34409e-0175-1000-ffff-ffff99eb371d</destinationId>
+ <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
+ <relationship>answer</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ </processGroup>
<connection>
- <id>14453eaa-7646-1485-0000-000070b97065</id>
+ <id>349b32bb-a821-1197-ffff-ffff81dc7ff2</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>14453e90-7646-1485-ffff-ffff81f3c683</sourceId>
- <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceId>8d1bef35-0175-1000-0000-0000746fa33d</sourceId>
+ <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>92693a34-99da-1004-adfb-bdf4aa7e1c30</destinationId>
- <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
+ <destinationId>92795a59-0175-1000-ffff-ffff89bc5f21</destinationId>
+ <destinationGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</destinationGroupId>
+ <destinationType>INPUT_PORT</destinationType>
+ <relationship>tls</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
@@ -6284,16 +7037,16 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>e43535a1-23e9-15af-9f98-2061dd6f97d6</id>
+ <id>8d19c8d7-0175-1000-ffff-ffffe3aa385d</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>92693a34-99da-1004-adfb-bdf4aa7e1c30</sourceId>
- <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceId>1a038948-9e9a-3523-b899-990077bfd575</sourceId>
+ <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>50813f6b-a5f6-1a98-8ae4-115134714332</destinationId>
- <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationId>46cdd7aa-91f0-307c-90aa-65747e558f25</destinationId>
+ <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
<destinationType>PROCESSOR</destinationType>
<relationship>success</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
@@ -6304,18 +7057,18 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>70e77065-0176-1000-0000-00001479fdf4</id>
+ <id>8d13df9c-0175-1000-0000-0000562b802e</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>e0bd3907-2d13-1407-b2dd-48591e65e59d</sourceId>
- <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>48723b8e-fae0-14e6-afdc-85c239646dc0</destinationId>
- <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <sourceId>8d13c952-0175-1000-0000-00007e8f4cae</sourceId>
+ <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
+ <sourceType>INPUT_PORT</sourceType>
+ <destinationId>24e1d8ed-10f4-3b46-958c-f2fb676e3192</destinationId>
+ <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
<destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
+ <relationship />
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
@@ -6324,18 +7077,18 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>cf95350a-de6c-1a4b-8183-8f9cfa11449a</id>
+ <id>f9a8aee6-502f-3eb9-8806-8964276d4ca0</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>7f683020-779c-1bc9-85da-5bad079d5d9d</sourceId>
- <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
- <sourceType>INPUT_PORT</sourceType>
- <destinationId>f92d3f77-958a-1344-bd3b-7c93457e5c12</destinationId>
- <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <sourceId>24e1d8ed-10f4-3b46-958c-f2fb676e3192</sourceId>
+ <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>1a038948-9e9a-3523-b899-990077bfd575</destinationId>
+ <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
<destinationType>PROCESSOR</destinationType>
- <relationship />
+ <relationship>success</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
@@ -6344,18 +7097,18 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>14453fcf-7646-1485-ffff-ffff952df142</id>
+ <id>8d2364b0-0175-1000-ffff-ffffa2a4601f</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>e4353681-23e9-15af-0000-000032ea35e3</sourceId>
- <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceId>8d1bef35-0175-1000-0000-0000746fa33d</sourceId>
+ <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>14453e90-7646-1485-ffff-ffff81f3c683</destinationId>
- <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>audit</relationship>
+ <destinationId>8d212c22-0175-1000-ffff-fffffbc39157</destinationId>
+ <destinationGroupId>8d1ad21f-0175-1000-0000-00003c540411</destinationGroupId>
+ <destinationType>INPUT_PORT</destinationType>
+ <relationship>dns</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
@@ -6364,16 +7117,16 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>3e21311d-dc5c-143f-b39e-d8fb8c9fd36d</id>
+ <id>8d1a6818-0175-1000-ffff-ffffeebd7e98</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>50813f6b-a5f6-1a98-8ae4-115134714332</sourceId>
- <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceId>46cdd7aa-91f0-307c-90aa-65747e558f25</sourceId>
+ <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>48723b8e-fae0-14e6-afdc-85c239646dc0</destinationId>
- <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
+ <destinationId>fd6b6513-51f8-3a96-a764-13bd39ec7f84</destinationId>
+ <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
<destinationType>PROCESSOR</destinationType>
<relationship>success</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
@@ -6384,18 +7137,18 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>14453a4b-7646-1485-ffff-fffffc8f5285</id>
+ <id>349b32e1-a821-1197-0000-00000d7cca30</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>e4353681-23e9-15af-0000-000032ea35e3</sourceId>
- <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>14453a41-7646-1485-b398-28f819de4a45</destinationId>
- <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>unmatched</relationship>
+ <sourceId>349b32d8-a821-1197-0000-000025a75a3b</sourceId>
+ <sourceGroupId>8d1afcd0-0175-1000-ffff-ffffb3690a74</sourceGroupId>
+ <sourceType>OUTPUT_PORT</sourceType>
+ <destinationId>055308a4-d020-39a9-9da4-b165796ef717</destinationId>
+ <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
+ <destinationType>OUTPUT_PORT</destinationType>
+ <relationship />
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
@@ -6404,17 +7157,17 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>7fe931b3-82b3-1699-b49a-d380dd14a5b8</id>
+ <id>8d1c1701-0175-1000-ffff-fffff7364622</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>48723b8e-fae0-14e6-afdc-85c239646dc0</sourceId>
- <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceId>fd6b6513-51f8-3a96-a764-13bd39ec7f84</sourceId>
+ <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>bcbb33ba-112e-1f53-8982-d5ae9f0e701f</destinationId>
- <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
- <destinationType>OUTPUT_PORT</destinationType>
+ <destinationId>8d1bef35-0175-1000-0000-0000746fa33d</destinationId>
+ <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
+ <destinationType>PROCESSOR</destinationType>
<relationship>success</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
@@ -6424,18 +7177,20 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>a35e3744-5906-1ee9-abc4-205356ca01d1</id>
+ <id>9266feff-0175-1000-ffff-ffff8c7d68c1</id>
<name />
- <bendPoints />
- <labelIndex>1</labelIndex>
+ <bendPoints>
+ <bendPoint x="-1208.0" y="952.0" />
+ </bendPoints>
+ <labelIndex>0</labelIndex>
<zIndex>0</zIndex>
- <sourceId>f92d3f77-958a-1344-bd3b-7c93457e5c12</sourceId>
- <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
+ <sourceId>8d1bef35-0175-1000-0000-0000746fa33d</sourceId>
+ <sourceGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
- <destinationId>e4353681-23e9-15af-0000-000032ea35e3</destinationId>
- <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
+ <destinationId>055308a4-d020-39a9-9da4-b165796ef717</destinationId>
+ <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
+ <destinationType>OUTPUT_PORT</destinationType>
+ <relationship>unmatched</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
@@ -6444,18 +7199,18 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
- <id>70e8f3cb-0176-1000-0000-00006d2cdbf5</id>
+ <id>9266e0c5-0175-1000-0000-00006aafc0f8</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<zIndex>0</zIndex>
- <sourceId>14453a41-7646-1485-b398-28f819de4a45</sourceId>
- <sourceGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>e0bd3907-2d13-1407-b2dd-48591e65e59d</destinationId>
- <destinationGroupId>48bc31b5-dbc5-116d-adbe-fe0f10314ac2</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
+ <sourceId>8d211b58-0175-1000-0000-000003eb5f3b</sourceId>
+ <sourceGroupId>8d1ad21f-0175-1000-0000-00003c540411</sourceGroupId>
+ <sourceType>OUTPUT_PORT</sourceType>
+ <destinationId>055308a4-d020-39a9-9da4-b165796ef717</destinationId>
+ <destinationGroupId>bd12dc14-015e-3428-bfdf-b1219d2d6fdb</destinationGroupId>
+ <destinationType>OUTPUT_PORT</destinationType>
+ <relationship />
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
@@ -7715,6 +8470,46 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
</processGroup>
+ <connection>
+ <id>716793d9-0177-1000-ffff-ffffea0e5a02</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>847a3472-7bdb-1823-8c6f-7b72bc6acc95</sourceId>
+ <sourceGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</sourceGroupId>
+ <sourceType>OUTPUT_PORT</sourceType>
+ <destinationId>349b32fe-a821-1197-0000-00003a0b6fe5</destinationId>
+ <destinationGroupId>0c790562-0175-1000-ffff-ffffeaaeafc3</destinationGroupId>
+ <destinationType>OUTPUT_PORT</destinationType>
+ <relationship />
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
+ <connection>
+ <id>71677a5e-0177-1000-ffff-fffffff8a427</id>
+ <name />
+ <bendPoints />
+ <labelIndex>1</labelIndex>
+ <zIndex>0</zIndex>
+ <sourceId>8962ad5a-0175-1000-ffff-ffffde6db5a6</sourceId>
+ <sourceGroupId>0c790562-0175-1000-ffff-ffffeaaeafc3</sourceGroupId>
+ <sourceType>PROCESSOR</sourceType>
+ <destinationId>de3b3084-16ab-1800-bad8-48890ca0526b</destinationId>
+ <destinationGroupId>355e3dc3-4da9-1443-ae3b-b6556e6a180a</destinationGroupId>
+ <destinationType>INPUT_PORT</destinationType>
+ <relationship>misp</relationship>
+ <maxWorkQueueSize>10000</maxWorkQueueSize>
+ <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
+ <flowFileExpiration>0 sec</flowFileExpiration>
+ <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
+ <partitioningAttribute />
+ <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
+ </connection>
<connection>
<id>fbbe3f1b-5336-11c9-ffff-ffffd29d2f5c</id>
<name />
@@ -8151,7 +8946,7 @@
<processGroup>
<id>b3d57504-7c06-37a3-b59b-8723f60fa728</id>
<name>Test data</name>
- <position x="-496.0" y="552.0" />
+ <position x="-488.0" y="784.0" />
<comment />
<flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
<flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
@@ -8407,7 +9202,9 @@
<connection>
<id>c5fe676f-baa5-3d90-956e-fe502db0ac68</id>
<name />
- <bendPoints />
+ <bendPoints>
+ <bendPoint x="288.0" y="872.0" />
+ </bendPoints>
<labelIndex>0</labelIndex>
<zIndex>0</zIndex>
<sourceId>d30dc946-251a-307c-8e88-f2262b0bb194</sourceId>
@@ -8427,8 +9224,10 @@
<connection>
<id>349b33a3-a821-1197-0000-00001ce4370e</id>
<name />
- <bendPoints />
- <labelIndex>1</labelIndex>
+ <bendPoints>
+ <bendPoint x="273.7158508300781" y="207.02731323242188" />
+ </bendPoints>
+ <labelIndex>0</labelIndex>
<zIndex>0</zIndex>
<sourceId>349b32fe-a821-1197-0000-00003a0b6fe5</sourceId>
<sourceGroupId>0c790562-0175-1000-ffff-ffffeaaeafc3</sourceGroupId>
@@ -8447,8 +9246,10 @@
<connection>
<id>bcb8ef9d-0175-1000-0000-000017e52ef1</id>
<name />
- <bendPoints />
- <labelIndex>1</labelIndex>
+ <bendPoints>
+ <bendPoint x="-726.2841491699219" y="215.02731323242188" />
+ </bendPoints>
+ <labelIndex>0</labelIndex>
<zIndex>0</zIndex>
<sourceId>bcb879d5-0175-1000-0000-000070879ad0</sourceId>
<sourceGroupId>0c790562-0175-1000-ffff-ffffeaaeafc3</sourceGroupId>
@@ -8467,9 +9268,7 @@
<connection>
<id>27d64272-0172-1000-0000-000079e1c9c6</id>
<name />
- <bendPoints>
- <bendPoint x="88.0" y="864.0" />
- </bendPoints>
+ <bendPoints />
<labelIndex>0</labelIndex>
<zIndex>0</zIndex>
<sourceId>27d5761b-0172-1000-0000-000059275dad</sourceId>
@@ -8490,7 +9289,7 @@
<id>27d65fe7-0172-1000-ffff-ffffec2db03b</id>
<name />
<bendPoints>
- <bendPoint x="-744.0" y="856.0" />
+ <bendPoint x="-720.0" y="648.0" />
</bendPoints>
<labelIndex>0</labelIndex>
<zIndex>0</zIndex>
@@ -8659,7 +9458,7 @@
</property>
<property>
<name>Password</name>
- <value>enc{e3c6c99d66e95dfa569c6dab15f7bd5cb2142d215044a4c556aba0a2bed19ac85c899bd8837e09bb49300f0823011b45}</value>
+ <value>enc{fe16f9929f6406cddb4bd76ce65cd921c54d473e22a0b270cf5d3928e20c6d668988cec4c468fd5bb45ecfcc18879950}</value>
</property>
<property>
<name>elasticsearch-http-connect-timeout</name>
@@ -11153,7 +11952,7 @@
</property>
<property>
<name>Truststore Password</name>
- <value>enc{2650a175fb2f75e2dcd038b4b506ac6368b7e025f6cb80fa6a82b187b0755443}</value>
+ <value>enc{fc071bc2a657baab96c3afa45b3e5b04e45b1071892e2263b922ab36c1d4feb0}</value>
</property>
<property>
<name>Truststore Type</name>
@@ -11744,6 +12543,50 @@
<name>Timestamp Format</name>
</property>
</controllerService>
+ <controllerService>
+ <id>71940755-0177-1000-0000-0000489cb88a</id>
+ <name>Misp GrokReader</name>
+ <comment />
+ <class>org.apache.nifi.grok.GrokReader</class>
+ <bundle>
+ <group>org.apache.nifi</group>
+ <artifact>nifi-record-serialization-services-nar</artifact>
+ <version>1.12.1</version>
+ </bundle>
+ <enabled>true</enabled>
+ <property>
+ <name>schema-access-strategy</name>
+ <value>string-fields-from-grok-expression</value>
+ </property>
+ <property>
+ <name>schema-registry</name>
+ </property>
+ <property>
+ <name>schema-name</name>
+ <value>${schema.name}</value>
+ </property>
+ <property>
+ <name>schema-version</name>
+ </property>
+ <property>
+ <name>schema-branch</name>
+ </property>
+ <property>
+ <name>schema-text</name>
+ <value>${avro.schema}</value>
+ </property>
+ <property>
+ <name>Grok Pattern File</name>
+ </property>
+ <property>
+ <name>Grok Expression</name>
+ <value>%{COMBINEDAPACHELOG}</value>
+ </property>
+ <property>
+ <name>no-match-behavior</name>
+ <value>append-to-previous-message</value>
+ </property>
+ </controllerService>
<variable name="misp_token" value="{{lookup('file','{{playbook_dir}}/secrets/tokens/misp')}}" />
<variable name="maxmind_key" value="{{ maxmind_key }}" />
<variable name="misp_first_interval" value="60d" />
--
GitLab