Requirement test events if not mapped to any CIM DM are not ingested

[hsekowski-splunk]

Example event:
<event code="" name="HttpSessionDestroyedContainerBackgroundProcessor" format=""> <transport type="modinput" sourcetype="jira:datacenter:security:log" source="/var/atlassian/application-data/jira/log/atlassian-jira-security.log" host="so1" /> <source> <jira id="" /> <comment>lab</comment> </source> <raw><![CDATA[2022-01-03 10:30:02,172+0000 ContainerBackgroundProcessor[StandardEngine[Catalina]] HttpSession [1abc2de] destroyed for 'someone']]></raw> <cim /> </event>

[hsekowski-splunk]

Validation should still be applied to this kind of events - expected not mapping to any CIM DM

[nandinivij]

Requirement tests are built to test the event's CIM mapping and field extractions. We intentionally do not ingest the above data as we have nothing to test for these events.
By Validation do you mean ingestion success? or do we want to add field extraction not associated with CIM and validate them?

[hsekowski-splunk]

@nandinivij ,
as stated above: expected not mapping to any CIM DM

[nandinivij]

@hsekowski-splunk By Validation do you mean ingestion success? or do we want to add field extraction not associated with CIM and validate them?

If we are not looking to validate non-CIM fields. I don't see any benefits of ingesting events like the above.

[nandinivij]

2 Enhancement cases :

• Test CIM fields when no DM is given(Higher priority)
• Test non-CIM field extractions (Schema changes needed)