Ollama TA (#3757)

patel-bhavin · web-flow · commit d1a15f9e9127 · 2025-11-05T09:50:50.000-08:00
* updating ta

* updating weird things
diff --git a/data_sources/m365_copilot_graph_api.yml b/data_sources/m365_copilot_graph_api.yml
@@ -7,9 +7,9 @@ description: Access Logs from M365 Copilot access via Graph API
 source: AuditLogs.SignIns
 sourcetype: o365:graph:api
 supported_TA:
-- name:  Splunk Add-on for Microsoft Office 365 
+- name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
-  version: 4.9.0
+  version: 5.0.0
 fields:
 - appDisplayName
 - appId
@@ -38,12 +38,12 @@ fields:
 - index
 - ipAddress
 - isInteractive
-- linecount	
-- location.city	
+- linecount
+- location.city
 - location.countryOrRegion
 - location.geoCoordinates.altitude
 - location.geoCoordinates.latitude
-- location.geoCoordinates.longitude	
+- location.geoCoordinates.longitude
 - location.state
 - punct
 - resourceDisplayName
@@ -64,4 +64,18 @@ fields:
 - userId
 - userPrincipalName
 output_fields: []
-example_log: '{"id": "7fbc0a97-7f78-4cc8-9377-dc94d2ad1e00", "createdDateTime": "2025-09-30T12:34:20Z", "userDisplayName": "Rod  Soto", "userPrincipalName": "rodsoto@rodsoto.onmicrosoft.com", "userId": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "appId": "9199bf20-a13f-4107-85dc-02114787ef48", "appDisplayName": "One Outlook Web", "ipAddress": "127.0.0.1", "clientAppUsed": "Browser", "correlationId": "8fe7aa9b-42c8-b52e-c6f2-8e4dfc07996b", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 0, "failureReason": "Other.", "additionalDetails": "MFA requirement satisfied by claim in the token"}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 140.0.0", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "Florida", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 25.76286, "longitude": -80.31196}}, "appliedConditionalAccessPolicies": []}'
+example_log: '{"id": "7fbc0a97-7f78-4cc8-9377-dc94d2ad1e00", "createdDateTime": "2025-09-30T12:34:20Z",
+  "userDisplayName": "Rod  Soto", "userPrincipalName": "rodsoto@rodsoto.onmicrosoft.com",
+  "userId": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "appId": "9199bf20-a13f-4107-85dc-02114787ef48",
+  "appDisplayName": "One Outlook Web", "ipAddress": "127.0.0.1", "clientAppUsed":
+  "Browser", "correlationId": "8fe7aa9b-42c8-b52e-c6f2-8e4dfc07996b", "conditionalAccessStatus":
+  "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated":
+  "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes":
+  [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online",
+  "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 0,
+  "failureReason": "Other.", "additionalDetails": "MFA requirement satisfied by claim
+  in the token"}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem":
+  "MacOs", "browser": "Chrome 140.0.0", "isCompliant": false, "isManaged": false,
+  "trustType": ""}, "location": {"city": "Miami", "state": "Florida", "countryOrRegion":
+  "US", "geoCoordinates": {"altitude": null, "latitude": 25.76286, "longitude": -80.31196}},
+  "appliedConditionalAccessPolicies": []}'
diff --git a/data_sources/m365_exported_ediscovery_prompts.yml b/data_sources/m365_exported_ediscovery_prompts.yml
@@ -9,12 +9,12 @@ sourcetype: csv
 fields:
 - Added by
 - Author
-- Compound path	
+- Compound path
 - Contains deleted message
 - Contains edited message
 - Conversation name
 - Conversation type
-- Created	
+- Created
 - Created by
 - Data source
 - Date
@@ -34,13 +34,13 @@ fields:
 - Has attachment
 - Has text
 - Immutable ID
-- Internet message ID	
+- Internet message ID
 - Is attachment from transcript
 - Is doc from conversation
 - Is modern attachment
 - Is read
 - Item class
-- Item source	
+- Item source
 - Last modified by
 - Last modified time
 - Location ID
@@ -52,11 +52,11 @@ fields:
 - Received
 - Recipient count
 - Retention label
-- SPO unique ID	
+- SPO unique ID
 - Sender
 - Sensitive type
 - Size
-- Source ID	
+- Source ID
 - Status
 - Subject_Title
 - Target path
@@ -70,11 +70,11 @@ fields:
 - date_month
 - date_second
 - date_wday
-- date_year	
-- date_zone	
-- eventtype	
+- date_year
+- date_zone
+- eventtype
 - host
-- index	
+- index
 - linecount
 - punct
 - source
diff --git a/data_sources/ollama_server.yml b/data_sources/ollama_server.yml
@@ -6,14 +6,17 @@ author: Rod Soto, Splunk
 description: 'Ollama server logs (HTTP access logs via GIN framework and system logs including GPU/CPU utilization, model loading, memory allocation, errors, and warnings) via Splunk TA-ollama add-on by configuring file monitoring inputs to your log directories (sourcetype: ollama:server), or enable HEC for real-time API telemetry and prompt analytics (sourcetypes: ollama:api, ollama:prompts). This TA is not available on Splunkbase and must be installed manually via the GitHub repository - https://github.com/rosplk/ta-ollama'
 sourcetype: ollama:server
 source: server.log
-supported_TA: []
+supported_TA:
+- name: TA-ollama
+  url: https://splunkbase.splunk.com/app/8024
+  version: 0.1.3
 fields:
 - CPU_0_AVX
 - CPU_0_AVX2
 - CPU_0_AVX_VNNI
 - CPU_0_BMI2
 - CPU_0_F16C
-- CPU_0_FMA	
+- CPU_0_FMA
 - CPU_0_LLAMAFILE
 - CPU_0_SSE3
 - CPU_0_SSSE3
@@ -29,7 +32,7 @@ fields:
 - bundle
 - cmd
 - compiler
-- compute	
+- compute
 - cores
 - count
 - date_hour
@@ -56,7 +59,7 @@ fields:
 - http_response_code
 - http_status
 - id
-- index	
+- index
 - installer
 - interval
 - layers_model
@@ -68,7 +71,7 @@ fields:
 - linecount
 - maxEfficiencyClass
 - memory_available
-- memory_gpu_overhead	
+- memory_gpu_overhead
 - memory_graph_full
 - memory_graph_partial
 - memory_required_allocations
@@ -100,9 +103,9 @@ fields:
 - timeendpos
 - timestartpos
 - tool_count
-- total	
-- variant	
-- vendor_product	
+- total
+- variant
+- vendor_product
 - version
 output_fields: []
 example_log: 'time=2025-10-02T14:46:19.789-04:00 level=INFO source=server.go:544 msg=offload library=cuda layers.requested=-1 layers.model=29 layers.offload=29 layers.split=[29] memory.available="[6.9 GiB]" memory.gpu_overhead="0 B" memory.required.full="3.1 GiB" memory.required.partial="3.1 GiB" memory.required.kv="448.0 MiB" memory.required.allocations="[3.1 GiB]" memory.weights.total="1.9 GiB" memory.weights.repeating="1.6 GiB" memory.weights.nonrepeating="308.2 MiB" memory.graph.full="256.5 MiB" memory.graph.partial="570.7 MiB"'
