Make dashboard queries backward compatible to show data from both forensic and failure indexes

Co-authored-by: seanthegeek <44679+seanthegeek@users.noreply.github.com>
2026-03-27 00:42:47 +00:00 · 2026-02-20 21:38:45 +00:00
parent 2d7a56b740
commit 733ea58d20
4 changed files with 18 additions and 8 deletions
--- a/kibana/export.ndjson
+++ b/kibana/export.ndjson
--- a/parsedmarc/elastic.py
+++ b/parsedmarc/elastic.py
@@ -615,11 +615,16 @@ def save_failure_report_to_elasticsearch(
    arrival_date_epoch_milliseconds = int(arrival_date.timestamp() * 1000)

    if index_suffix is not None:
-        search_index = "dmarc_failure_{0}*".format(index_suffix)
+        search_index = "dmarc_failure_{0}*,dmarc_forensic_{0}*".format(
+            index_suffix
+        )
    else:
-        search_index = "dmarc_failure*"
+        search_index = "dmarc_failure*,dmarc_forensic*"
    if index_prefix is not None:
-        search_index = "{0}{1}".format(index_prefix, search_index)
+        search_index = ",".join(
+            "{0}{1}".format(index_prefix, part)
+            for part in search_index.split(",")
+        )
    search = Search(index=search_index)
    q = Q(dict(match=dict(arrival_date=arrival_date_epoch_milliseconds)))  # pyright: ignore[reportArgumentType]

--- a/parsedmarc/opensearch.py
+++ b/parsedmarc/opensearch.py
@@ -644,11 +644,16 @@ def save_failure_report_to_opensearch(
    arrival_date_epoch_milliseconds = int(arrival_date.timestamp() * 1000)

    if index_suffix is not None:
-        search_index = "dmarc_failure_{0}*".format(index_suffix)
+        search_index = "dmarc_failure_{0}*,dmarc_forensic_{0}*".format(
+            index_suffix
+        )
    else:
-        search_index = "dmarc_failure*"
+        search_index = "dmarc_failure*,dmarc_forensic*"
    if index_prefix is not None:
-        search_index = "{0}{1}".format(index_prefix, search_index)
+        search_index = ",".join(
+            "{0}{1}".format(index_prefix, part)
+            for part in search_index.split(",")
+        )
    search = Search(index=search_index)
    q = Q(dict(match=dict(arrival_date=arrival_date_epoch_milliseconds)))

--- a/splunk/dmarc_failure_dashboard.xml
+++ b/splunk/dmarc_failure_dashboard.xml
@@ -2,7 +2,7 @@
  <label>Failure DMARC Data</label>
  <search id="base_search">
    <query>
-      index="email" sourcetype="dmarc:failure" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$
+      index="email" (sourcetype="dmarc:failure" OR sourcetype="dmarc:forensic") parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$
      | table *
    </query>
    <earliest>$time_range.earliest$</earliest>