From 8317ffcde814897b3659ac13f919c5f334a00c8a Mon Sep 17 00:00:00 2001
From: Sean Whalen <seanthegeek@users.noreply.github.com>
Date: Sun, 3 May 2026 19:09:04 -0400
Subject: [PATCH] Fix rename syntax for parsed_sample headers in Splunk DMARC
 forensic dashboard

---
 dashboards/splunk/dmarc_forensic_dashboard.xml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dashboards/splunk/dmarc_forensic_dashboard.xml b/dashboards/splunk/dmarc_forensic_dashboard.xml
index f152dc7..1bf3400 100644
--- a/dashboards/splunk/dmarc_forensic_dashboard.xml
+++ b/dashboards/splunk/dmarc_forensic_dashboard.xml
@@ -1,8 +1,8 @@
 <form theme="dark" version="1.1">
-  <label>Forensic DMARC Data</label>
+  <label>DMARC Failure Data</label>
   <search id="base_search">
     <query>
-      index="email" sourcetype="dmarc:forensic"
+      index="email" (sourcetype="dmarc:forensic" sourcetype="dmarc:failure") 
       (parsed_sample.headers.From=$header_from$ OR NOT parsed_sample.headers.From=*)
       (parsed_sample.headers.To=$header_to$ OR NOT parsed_sample.headers.To=*)
       (parsed_sample.headers.Subject=$header_subject$ OR NOT parsed_sample.headers.Subject=*)
@@ -61,7 +61,7 @@
       <title>DMARC failure email samples</title>
       <table>
         <search base="base_search">
-          <query>| rename parsed_sample.headers.From as "from", parsed_sample.headers.Subject as subject, "parsed_sample.headers.In-Reply-To" as reply_to
+          <query>| rename parsed_sample.headers.from{}{} as from, parsed_sample.headers.Subject as subject, parsed_sample.headers.reply-to{}{} as reply_to
 | table arrival_date_utc, source.ip_address, "from", subject, reply_to, authentication_results
 | sort -arrival_date_utc</query>
         </search>
@@ -71,4 +71,4 @@
       </table>
     </panel>
   </row>
-</form>
\ No newline at end of file
+</form>