From 10139248a957bb8114549a47617b9d4c6008716e Mon Sep 17 00:00:00 2001
From: ajasnosz <ajasnosz@splunk.com>
Date: Thu, 13 Feb 2025 14:38:13 +0100
Subject: [PATCH 1/3] chore: add netapp test

---
 tests/test_netapp.py | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/tests/test_netapp.py b/tests/test_netapp.py
index 6451deac06..a05aead4c2 100644
--- a/tests/test_netapp.py
+++ b/tests/test_netapp.py
@@ -87,4 +87,36 @@ def test_netapp_ontap_ems_rfc5424(
     record_property("resultCount", result_count)
     record_property("message", message)
 
+    assert result_count == 1
+
+
+# Netapp Ontap EMS event
+# <13>Feb 10 11:36:10 [cluster-01:secd.conn.auth.failure:notice]: Vserver (datavserver) could not make a connection over the network to server (ip 2.3.3.3, port 389). Error: Operation timed out (Service: LDAP (Active Directory), Operation: SiteDiscovery).
+@pytest.mark.addons("netapp")
+def test_netapp_ontap_ems(
+        record_property, get_host_key, setup_splunk, setup_sc4s
+):
+    host = "netapp-ontap-" + get_host_key
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    _, bsd, _, _, _, _, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+    mt = env.from_string(
+        "{{ mark }}{{ bsd }} [{{ host }}:{{ category }}:{{ severity }}]: Vserver (datavserver) could not make a connection over the network to server (ip 2.3.3.3, port 389). Error: Operation timed out (Service: LDAP (Active Directory), Operation: SiteDiscovery)")
+    message = mt.render(mark="<13>", bsd=bsd, host=host, category="secd.conn.auth.failure", severity="notice")
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search index=infraops _time={{ epoch }} sourcetype="netapp:ontap:ems" host="{{ host }}"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    result_count, _ = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", result_count)
+    record_property("message", message)
+
     assert result_count == 1
\ No newline at end of file

From 7c4bc508512acf2735583653b1b2ca1f1cf97886 Mon Sep 17 00:00:00 2001
From: ajasnosz <ajasnosz@splunk.com>
Date: Tue, 18 Feb 2025 10:29:09 +0100
Subject: [PATCH 2/3] chore: update netapp config

---
 .../netsource/app-netsource-netapp_ontap.conf | 26 ++++++++++++++++---
 .../app-vps-test-netapp_ontap.conf            |  3 ++-
 .../netapp/app-netsource-netapp_ontap.conf    | 26 ++++++++++++++++---
 3 files changed, 48 insertions(+), 7 deletions(-)

diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-netapp_ontap.conf b/package/etc/conf.d/conflib/netsource/app-netsource-netapp_ontap.conf
index 08cd806164..60d72bcfd7 100644
--- a/package/etc/conf.d/conflib/netsource/app-netsource-netapp_ontap.conf
+++ b/package/etc/conf.d/conflib/netsource/app-netsource-netapp_ontap.conf
@@ -34,6 +34,26 @@ block parser app-netsource-netapp_ontap() {
                     class('audit')
                 );
             };
+        } elif {
+            parser {
+                regexp-parser(
+                    prefix(".tmp.")
+                    patterns('\[(?<host>[^:]+):(?<category>[^:]+):(?<severity>[^\]]+)\]: (?<message>.*)')
+                    template("${MESSAGE}")
+                );
+            };
+            rewrite {
+                set('${.tmp.message}' value('MESSAGE'));
+                set('${.tmp.host}' value('HOST'));
+                set('${.tmp.category}' value('fields.category'));
+                set('${.tmp.severity}' value('fields.severity'));
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('netapp:ontap:ems')
+                    class('ems')
+                );
+            };
         } else {
             rewrite {
                 r_set_splunk_dest_update_v2(
@@ -46,10 +66,10 @@ block parser app-netsource-netapp_ontap() {
 };
 
 application app-netsource-netapp_ontap[sc4s-network-source] {
-	filter {
+    filter {
         match("netapp", value('.netsource.sc4s_vendor'), type(string))
         and match("ontap", value('.netsource.sc4s_product'), type(string))
         and "`SC4S_NETAPP_ONTAP_NEW_FORMAT`" eq "yes"
-    };	
+    };
     parser { app-netsource-netapp_ontap(); };
-};
+};
\ No newline at end of file
diff --git a/package/etc/test_parsers/app-vps-test-netapp_ontap.conf b/package/etc/test_parsers/app-vps-test-netapp_ontap.conf
index 24b14274e0..f4319c97e9 100644
--- a/package/etc/test_parsers/app-vps-test-netapp_ontap.conf
+++ b/package/etc/test_parsers/app-vps-test-netapp_ontap.conf
@@ -1,6 +1,7 @@
 application app-vps-test-netapp_ontap[sc4s-vps] {
     filter {
-        host("netapp-ontap-" type(string) flags(prefix))
+        or host("netapp-ontap-" type(string) flags(prefix))
+        or message("[netapp-ontap-" type(string) flags(prefix))
         or (
             message("netapp-ontap-" type(string) flags(prefix))
             and program("netapp-ontap-" type(string) flags(prefix))
diff --git a/package/lite/etc/addons/netapp/app-netsource-netapp_ontap.conf b/package/lite/etc/addons/netapp/app-netsource-netapp_ontap.conf
index 08cd806164..60d72bcfd7 100644
--- a/package/lite/etc/addons/netapp/app-netsource-netapp_ontap.conf
+++ b/package/lite/etc/addons/netapp/app-netsource-netapp_ontap.conf
@@ -34,6 +34,26 @@ block parser app-netsource-netapp_ontap() {
                     class('audit')
                 );
             };
+        } elif {
+            parser {
+                regexp-parser(
+                    prefix(".tmp.")
+                    patterns('\[(?<host>[^:]+):(?<category>[^:]+):(?<severity>[^\]]+)\]: (?<message>.*)')
+                    template("${MESSAGE}")
+                );
+            };
+            rewrite {
+                set('${.tmp.message}' value('MESSAGE'));
+                set('${.tmp.host}' value('HOST'));
+                set('${.tmp.category}' value('fields.category'));
+                set('${.tmp.severity}' value('fields.severity'));
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('netapp:ontap:ems')
+                    class('ems')
+                );
+            };
         } else {
             rewrite {
                 r_set_splunk_dest_update_v2(
@@ -46,10 +66,10 @@ block parser app-netsource-netapp_ontap() {
 };
 
 application app-netsource-netapp_ontap[sc4s-network-source] {
-	filter {
+    filter {
         match("netapp", value('.netsource.sc4s_vendor'), type(string))
         and match("ontap", value('.netsource.sc4s_product'), type(string))
         and "`SC4S_NETAPP_ONTAP_NEW_FORMAT`" eq "yes"
-    };	
+    };
     parser { app-netsource-netapp_ontap(); };
-};
+};
\ No newline at end of file

From 03274977c8afdb77e69ffe2127979ac45cd65947 Mon Sep 17 00:00:00 2001
From: ajasnosz <ajasnosz@splunk.com>
Date: Tue, 4 Mar 2025 15:06:53 +0100
Subject: [PATCH 3/3] chore: fix typo

---
 package/etc/test_parsers/app-vps-test-netapp_ontap.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/etc/test_parsers/app-vps-test-netapp_ontap.conf b/package/etc/test_parsers/app-vps-test-netapp_ontap.conf
index f4319c97e9..1c2f06f5a5 100644
--- a/package/etc/test_parsers/app-vps-test-netapp_ontap.conf
+++ b/package/etc/test_parsers/app-vps-test-netapp_ontap.conf
@@ -1,6 +1,6 @@
 application app-vps-test-netapp_ontap[sc4s-vps] {
     filter {
-        or host("netapp-ontap-" type(string) flags(prefix))
+        host("netapp-ontap-" type(string) flags(prefix))
         or message("[netapp-ontap-" type(string) flags(prefix))
         or (
             message("netapp-ontap-" type(string) flags(prefix))