feat: create new parser for epic (#2318)

docs/sources/vendor/epic/epic_ehr.md

@@ -0,0 +1,24 @@
+# Epic EHR
+
+## Key facts
+
+* Requires vendor product by source configuration
+* Legacy BSD Format default port 514
+
+## Links
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | na                                                                                                      |
+
+## Sourcetypes
+
+| sourcetype                  | notes                                                                                      |
+|-----------------------------|--------------------------------------------------------------------------------------------|
+| epic:epic-ehr:syslog        | None                                                                                       |
+
+### Index Configuration
+
+| key            | sourcetype           | index          | notes          |
+|----------------|----------------------|----------------|----------------|
+| epic_epic-ehr  | epic:epic-ehr:syslog | main           | none           |

package/etc/conf.d/conflib/syslog/app-syslog-epic_ehr.conf

@@ -0,0 +1,28 @@
+block parser app-syslog-epic_ehr() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index("main")
+                source("epic-ehr")
+                sourcetype('epic:epic-ehr:syslog')
+                vendor("epic")
+                product("epic-ehr")
+                template('t_json_values')
+            );
+        };
+        parser {
+            xml(
+                prefix('.values.')
+                drop-invalid(no)
+            );
+        };
+   };
+};
+
+
+application app-syslog-epic_ehr[sc4s-syslog-pgm] {
+    filter {
+        program('Epic' type(string) flags(prefix));
+    };
+    parser { app-syslog-epic_ehr(); };
+};

package/lite/etc/addons/epic/addon_metadata.yaml

@@ -0,0 +1,2 @@
+---
+name: "epic"

package/lite/etc/addons/epic/app-syslog-epic_ehr.conf

@@ -0,0 +1,28 @@
+block parser app-syslog-epic_ehr() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index("main")
+                source("epic-ehr")
+                sourcetype('epic:epic-ehr:syslog')
+                vendor("epic")
+                product("epic-ehr")
+                template('t_json_values')
+            );
+        };
+        parser {
+            xml(
+                prefix('.values.')
+                drop-invalid(no)
+            );
+        };
+   };
+};
+
+
+application app-syslog-epic_ehr[sc4s-syslog-pgm] {
+    filter {
+        program('Epic' type(string) flags(prefix));
+    };
+    parser { app-syslog-epic_ehr(); };
+};

package/lite/etc/config.yaml

@@ -81,3 +81,4 @@ addons:
   - semperis
   - powertech
   - thales
+  - epic

tests/test_epic_ehr.py

@@ -0,0 +1,49 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+
+from jinja2 import Environment, select_autoescape
+
+from .sendmessage import sendsingle
+from .splunkutils import  splunk_single
+from .timeutils import time_operations
+import datetime
+import pytest
+
+env = Environment(autoescape=select_autoescape(default_for_string=False))
+
+epic_ehr_testdata = [r'{{ mark }} {{ iso }}Z {{ host }} Epic 7652 - [origin software="Security-SIEM" swVersion="10.5.0"] <?xml version="1.0"?><EventLog>    <E1Mid>IC_SERVICE_AUDIT</E1Mid>    <EventCnt>1</EventCnt>    <EMPid>113^SERVICE, INTERCONNECT^ICSVC</EMPid>    <Source>poc</Source>    <LWSid></LWSid>    <Action>Query</Action>    <Date>1/19/2024</Date>    <Time>10:43:19 AM</Time>    <Flag>Access History^^</Flag>    <Mnemonics>      <Mnemonic Name="APIID">        <Value>1</Value>      </Mnemonic>      <Mnemonic Name="APPLICATIONID">        <Value>1</Value>      </Mnemonic>      <Mnemonic Name="CLIENTNAME">        <Value>TST-EPIC-TEST</Value>      </Mnemonic>      <Mnemonic Name="INSTANCEURN">        <Value>aa:aa:aaa</Value>      </Mnemonic>      <Mnemonic Name="IP">        <Value>Unknown IP</Value>      </Mnemonic>      <Mnemonic Name="SERVICECATEGORY">        <Value>Interconnect</Value>      </Mnemonic>      <Mnemonic Name="SERVICEID">        <Value>aaaaa</Value>      </Mnemonic>      <Mnemonic Name="SERVICENAME">        <Value>aa:aaa:aa</Value>      </Mnemonic>      <Mnemonic Name="SERVICETYPE">        <Value>REST-WebAPI</Value>      </Mnemonic>    </Mnemonics>  </EventLog>',]
+
+@pytest.mark.parametrize("event", epic_ehr_testdata)
+@pytest.mark.addons("epic")
+def test_epic_ehr(
+    record_property, get_host_key, setup_splunk, setup_sc4s, event
+):
+    host = get_host_key
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, _, _, _, _, _, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
+    mt = env.from_string(event + "\n")
+    message = mt.render(mark="<85>1", iso=iso, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="epic:epic-ehr:syslog" source="epic-ehr"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    result_count, _ = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", result_count)
+    record_property("message", message)
+
+    assert result_count == 1