chore: add netapp test

package/etc/conf.d/conflib/netsource/app-netsource-netapp_ontap.conf

@@ -34,6 +34,26 @@ block parser app-netsource-netapp_ontap() {
                     class('audit')
                 );
             };
+        } elif {
+            parser {
+                regexp-parser(
+                    prefix(".tmp.")
+                    patterns('\[(?<host>[^:]+):(?<category>[^:]+):(?<severity>[^\]]+)\]: (?<message>.*)')
+                    template("${MESSAGE}")
+                );
+            };
+            rewrite {
+                set('${.tmp.message}' value('MESSAGE'));
+                set('${.tmp.host}' value('HOST'));
+                set('${.tmp.category}' value('fields.category'));
+                set('${.tmp.severity}' value('fields.severity'));
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('netapp:ontap:ems')
+                    class('ems')
+                );
+            };
         } else {
             rewrite {
                 r_set_splunk_dest_update_v2(
@@ -46,10 +66,10 @@ block parser app-netsource-netapp_ontap() {
 };
 
 application app-netsource-netapp_ontap[sc4s-network-source] {
-	filter {
+    filter {
         match("netapp", value('.netsource.sc4s_vendor'), type(string))
         and match("ontap", value('.netsource.sc4s_product'), type(string))
         and "`SC4S_NETAPP_ONTAP_NEW_FORMAT`" eq "yes"
-    };	
+    };
     parser { app-netsource-netapp_ontap(); };
-};
+};

package/etc/test_parsers/app-vps-test-netapp_ontap.conf

@@ -1,6 +1,7 @@
 application app-vps-test-netapp_ontap[sc4s-vps] {
     filter {
         host("netapp-ontap-" type(string) flags(prefix))
+        or message("[netapp-ontap-" type(string) flags(prefix))
         or (
             message("netapp-ontap-" type(string) flags(prefix))
             and program("netapp-ontap-" type(string) flags(prefix))

package/lite/etc/addons/netapp/app-netsource-netapp_ontap.conf

@@ -34,6 +34,26 @@ block parser app-netsource-netapp_ontap() {
                     class('audit')
                 );
             };
+        } elif {
+            parser {
+                regexp-parser(
+                    prefix(".tmp.")
+                    patterns('\[(?<host>[^:]+):(?<category>[^:]+):(?<severity>[^\]]+)\]: (?<message>.*)')
+                    template("${MESSAGE}")
+                );
+            };
+            rewrite {
+                set('${.tmp.message}' value('MESSAGE'));
+                set('${.tmp.host}' value('HOST'));
+                set('${.tmp.category}' value('fields.category'));
+                set('${.tmp.severity}' value('fields.severity'));
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('netapp:ontap:ems')
+                    class('ems')
+                );
+            };
         } else {
             rewrite {
                 r_set_splunk_dest_update_v2(
@@ -46,10 +66,10 @@ block parser app-netsource-netapp_ontap() {
 };
 
 application app-netsource-netapp_ontap[sc4s-network-source] {
-	filter {
+    filter {
         match("netapp", value('.netsource.sc4s_vendor'), type(string))
         and match("ontap", value('.netsource.sc4s_product'), type(string))
         and "`SC4S_NETAPP_ONTAP_NEW_FORMAT`" eq "yes"
-    };	
+    };
     parser { app-netsource-netapp_ontap(); };
-};
+};

tests/test_netapp.py

@@ -87,4 +87,36 @@ def test_netapp_ontap_ems_rfc5424(
     record_property("resultCount", result_count)
     record_property("message", message)
 
+    assert result_count == 1
+
+
+# Netapp Ontap EMS event
+# <13>Feb 10 11:36:10 [cluster-01:secd.conn.auth.failure:notice]: Vserver (datavserver) could not make a connection over the network to server (ip 2.3.3.3, port 389). Error: Operation timed out (Service: LDAP (Active Directory), Operation: SiteDiscovery).
+@pytest.mark.addons("netapp")
+def test_netapp_ontap_ems(
+        record_property, get_host_key, setup_splunk, setup_sc4s
+):
+    host = "netapp-ontap-" + get_host_key
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    _, bsd, _, _, _, _, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+    mt = env.from_string(
+        "{{ mark }}{{ bsd }} [{{ host }}:{{ category }}:{{ severity }}]: Vserver (datavserver) could not make a connection over the network to server (ip 2.3.3.3, port 389). Error: Operation timed out (Service: LDAP (Active Directory), Operation: SiteDiscovery)")
+    message = mt.render(mark="<13>", bsd=bsd, host=host, category="secd.conn.auth.failure", severity="notice")
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search index=infraops _time={{ epoch }} sourcetype="netapp:ontap:ems" host="{{ host }}"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    result_count, _ = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", result_count)
+    record_property("message", message)
+
     assert result_count == 1