chore: add samples for transform tests

Author: mkolasinski-splunk

pytest_splunk_addon/addon_parser/transforms_parser.py

@@ -187,7 +187,8 @@ def get_sourcetype_from_transform(self, transform_stanza: str) -> Optional[str]:
             format_value = transforms_values["FORMAT"]
             # Match pattern: sourcetype::<sourcetype_name>
             # Case-insensitive, handles whitespace, handles quoted values
-            regex = r"(?i)sourcetype\s*::\s*([^\s]+)"
+            # Excludes patterns with $ variables (like $1, $2, etc.) Such cases need to be handled via sourcetype_to_search in pytest-splunk-addon-data.conf
+            regex = r"(?i)sourcetype\s*::\s*([^\s\$]+)"
             match = re.search(regex, format_value)
 
             if match:

tests/e2e/addons/TA_fiction_indextime/default/pytest-splunk-addon-data.conf

@@ -1160,4 +1160,40 @@ token.3.field = dest
 token.4.token = (##DEST_PORT##)
 token.4.replacementType = random
 token.4.replacement = dest_port
-token.4.field = dest_port
+token.4.field = dest_port
+
+# Sample for testing rename sourcetype using source transform
+# Tests the rename_sourcetype_using_source transform which extracts sourcetype from source
+# The transform regex: (?:[a-zA-Z0-9_]+\.)?([a-zA-Z0-9_]+)\.log
+# Expected result: sourcetype should become test:indextime:uf_file_monitor_rename_sourcetype:application
+[uf_rename_sourcetype.samples]
+sourcetype = test:indextime:uf_file_monitor_rename_sourcetype
+host_type = plugin
+input_type = file_monitor
+source = /var/log/application.log
+sourcetype_to_search = test:indextime:uf_file_monitor_rename_sourcetype:application
+sample_count = 1
+timestamp_type = event
+
+token.0.token = (\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+)
+token.0.replacementType = timestamp
+token.0.replacement = %Y-%m-%dT%H:%M:%S
+token.0.field = _time
+
+# Sample for testing sourcetype update transform
+# Tests the update_sourcetype transform which removes _sourcetype suffix
+# The transform regex: sourcetype::(.*)_sourcetype  
+# Expected result: sourcetype should become test:indextime:sourcetype:updated
+[updated_sourcetype.samples]
+sourcetype = test:indextime:sourcetype:updated_sourcetype
+host_type = plugin
+input_type = file_monitor
+source = pytest-splunk-addon:updated_sourcetype
+sourcetype_to_search = test:indextime:sourcetype:updated
+sample_count = 1
+timestamp_type = event
+
+token.0.token = (\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+)
+token.0.replacementType = timestamp
+token.0.replacement = %Y-%m-%dT%H:%M:%S
+token.0.field = _time

tests/e2e/addons/TA_fiction_indextime/samples/uf_rename_sourcetype.samples

@@ -0,0 +1 @@
+2024-01-15T10:32:00.789+0000 INFO File operation completed successfully operation=read file=/var/log/application.log

tests/e2e/addons/TA_fiction_indextime/samples/updated_sourcetype.samples

@@ -0,0 +1 @@
+2024-01-15T10:30:45.123+0000 INFO Application started successfully with config_param=test_value host=server01 static_value_2 component=main