updating network traffic datamodel

harshilgajera-crest · harshilgajera-crest · commit 2bd6c4400b73 · 2020-11-30T17:54:05.000+05:30
diff --git a/pytest_splunk_addon/standard_lib/data_models/Network_Traffic.json b/pytest_splunk_addon/standard_lib/data_models/Network_Traffic.json
@@ -64,14 +64,15 @@
         {
           "name": "dest_ip",
           "type": "conditional",
-          "condition": "| regex dest=\"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"",
-          "validity": "if(dest_ip==dest,dest_ip,null())",
+          "condition": "dest_ip=*",
+          "validity": "if(match(dest_ip, \"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"),dest_ip,null())",
           "comment": "The IP address of the destination."
         },
         {
           "name": "dest_mac",
-          "type": "optional",
-          "validity": "if(dest==dest_mac,dest_mac,null())",
+          "type": "conditional",
+          "condition": "dest_mac=*",
+          "validity": "if(match(dest_mac,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\"),dest_mac,null())",
           "comment": "The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator."
         },
         {
@@ -265,15 +266,15 @@
         {
           "name": "src_ip",
           "type": "conditional",
-          "condition": "| regex src=\"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"",
-          "validity": "if(src_ip==src,src_ip,null())",
+          "condition": "src_ip=*",
+          "validity": "if(match(src_ip, \"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"),src_ip,null())",
           "comment": "The ip address of the source."
         },
         {
           "name": "src_mac",
           "type": "conditional",
-          "condition": "| regex src=\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\"",
-          "validity": "if(src==src_mac,src_mac,null())",
+          "condition": "src_mac=*",
+          "validity": "if(match(src_mac,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\"),src_mac,null())",
           "comment": "The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator."
         },
         {
