Releases: rosplk/ta-ollama
v0.1.5
Version 0.1.5 (2025-12-04)
Bug Fixes
-
Event Line Breaking: Fixed event segmentation to break on time boundaries instead of GIN pattern
- Added
TIME_PREFIXto handle both GIN and standard Ollama log time formats - Added
MAX_TIMESTAMP_LOOKAHEADfor improved timestamp detection - Prevents duplicate events and incorrect multi-line event creation
- Added
-
Field Extraction Improvements:
- Updated regex in transforms.conf to handle variable-width padding in GIN logs
- Added trim() operations for
srcandresponse_timefields to remove visual alignment padding - Better handling of IPv4 vs IPv6 spacing differences in GIN output
-
Time Parsing Enhancements:
- Extended
response_time_mscalculation to handle compound time formats (e.g., "15m29s") - Properly converts long-duration requests (model downloads, complex generations)
- Fixes inaccurate time calculations for requests exceeding 60 seconds
- Extended
CIM Compliance Enhancements
-
Added
methodfield: Standard CIM Web datamodel field alias for http_method- Improves compatibility with CIM-compliant searches and dashboards
- Better integration with Splunk Enterprise Security (ES)
-
Added
code_sourcefield: Extracts Go source file locations from structured logs- Example:
server.go:1332,sched.go:517 - Useful for troubleshooting and debugging Ollama internals
- Avoids conflict with Splunk's built-in
sourcemetadata field
- Example:
-
Improved
uri_queryextraction: Dynamic extraction instead of hardcoded empty string- Properly extracts query parameters when present (e.g.,
/api/models?name=llama) - Returns null when no query string exists
- Properly extracts query parameters when present (e.g.,
Configuration Fixes
- inputs.conf.spec Universal Forwarder Compatibility: Fixed stanza conflict with Universal Forwarder
- Removed explicit
[monitor://<path>]stanza definition from inputs.conf.spec - Converted monitor configuration to documentation comments only
- Resolves "conflicts with splunk stanza" error on Universal Forwarder deployments
- Added reference to GitHub documentation for Linux log collection setup
- No functional impact - monitor inputs continue to work as expected
- Removed explicit
Technical Changes
- Modified
props.conf:- Added TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD, and field trimming EVALs
- Added
FIELDALIAS-cim_web_method = http_method AS method - Added
EVAL-code_sourcefor Go source file extraction - Updated
EVAL-uri_queryfor dynamic extraction
- Modified
transforms.conf: Simplified regex with non-greedy matching for variable spacing - No reindex required (search-time only changes)
Testing & Validation
- Verified HEC integration with ollama:prompts and ollama:api sourcetypes
- Tested field extraction with multiple log formats (GIN HTTP logs, structured logs)
- Validated CIM Web datamodel compliance
- Confirmed all core and extended CIM fields are properly populated
Impact
- Resolves duplicate event issues
- Improves accuracy for long-running operation detection
- Better data quality for security detections and analytics
- Enhanced CIM compliance for enterprise deployments
- Improved Splunkbase standards adherence
v0.1.4
Release Notes - TA-ollama v0.1.4
Bug Fixes
Fixed AWS Splunk Cloud compatibility error with transform validation
Resolved "regex has no capturing groups" error in ollama_static_cim_fields
Improvements
Migrated static CIM field assignments to EVAL statements for better performance
Enhanced cross-platform compatibility across all Splunk deployments
Simplified configuration with consolidated field mappings in props.conf
Compatibility
Splunk Enterprise 8.0+
Splunk Cloud Platform (AWS and non-AWS)
All platforms: Linux, Windows, macOS
Upgrade Notes
Drop-in replacement for v0.1.3
No configuration changes required
Maintains CIM 5.0+ Web datamodel compliance