From 526597e43433696b897b345127d6f7090eff9fed Mon Sep 17 00:00:00 2001
From: Ilya Kheifets <ikheifets@splunk.com>
Date: Mon, 23 Oct 2023 15:58:53 +0200
Subject: [PATCH] feat: add parser for powertech interact

---
 docs/sources/vendor/Powertech/interact.md     | 31 +++++++++++++++++++
 .../cef/app-cef-powertech_interact.conf       | 21 +++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 docs/sources/vendor/Powertech/interact.md
 create mode 100644 package/etc/conf.d/conflib/cef/app-cef-powertech_interact.conf

diff --git a/docs/sources/vendor/Powertech/interact.md b/docs/sources/vendor/Powertech/interact.md
new file mode 100644
index 0000000000..114e7db874
--- /dev/null
+++ b/docs/sources/vendor/Powertech/interact.md
@@ -0,0 +1,31 @@
+# PowerTech Interact
+
+## Key facts
+
+* MSG Format based filter
+* CEF Format default port 514
+
+## Links
+
+| Ref                         | Link                                                                                       |
+|-----------------------------|--------------------------------------------------------------------------------------------|
+| Splunk Add-on               | None                                                                                       |
+
+
+## Sourcetypes
+
+| sourcetype                  | notes                                                                                      |
+|-----------------------------|--------------------------------------------------------------------------------------------|
+| PowerTech:Interact:cef      | CEF                                                                                        |
+
+## Source
+
+| source                      | notes                                                                                      |
+|-----------------------------|--------------------------------------------------------------------------------------------|
+| PowerTech:Interact:cef      | None                                                                                       |
+
+### Index Configuration
+
+| key                | source              | index                  | notes          |
+|--------------------|---------------------|------------------------|----------------|
+|PowerTech_Interact  | PowerTech:Interact  | netops                 | none           |
diff --git a/package/etc/conf.d/conflib/cef/app-cef-powertech_interact.conf b/package/etc/conf.d/conflib/cef/app-cef-powertech_interact.conf
new file mode 100644
index 0000000000..66d9f264c1
--- /dev/null
+++ b/package/etc/conf.d/conflib/cef/app-cef-powertech_interact.conf
@@ -0,0 +1,21 @@
+block parser app-cef-power_interact() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('netops'),
+                source('PowerTech:Interact'),
+                sourcetype('PowerTech:Interact:cef')
+                vendor('PowerTech')
+                product('Interact')
+            );
+        };
+    };
+};
+
+application app-cef-power_interact[cef] {
+    filter{
+        match("PowerTech" value(".metadata.cef.device_vendor"))
+        and match("Interact" value(".metadata.cef.device_product"));
+    };
+    parser { app-cef-power_interact(); };
+};