Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
As of release v24.01.0, the MALCOLM_NETWORK_INDEX_PATTERN and MALCOLM_NETWORK_INDEX_SUFFIX environment variables allow splitting out Suricata and Zeek to a different index pattern from the one Arkime creates.
It may be useful to add another replacer to the pattern definable in either one or the other of these variables (probably the suffix?) to further allow it to be split out based on the event.provider variable (suricata vs. zeek, etc.).
As of release v24.01.0, the
MALCOLM_NETWORK_INDEX_PATTERNandMALCOLM_NETWORK_INDEX_SUFFIXenvironment variables allow splitting out Suricata and Zeek to a different index pattern from the one Arkime creates.It may be useful to add another replacer to the pattern definable in either one or the other of these variables (probably the suffix?) to further allow it to be split out based on the
event.providervariable (suricatavs.zeek, etc.).