AddonParser
The module provides the Add-on parsing mechanism. It can parse the knowledge objects from an Add-on’s configuration files
Supports: fields from props & transforms, tags, eventtypes
- class standard_lib.addon_parser.AddonParser(splunk_app_path)[source]
Bases:
object
Parse the knowledge objects from an Add-on’s configuration files. Supports: fields from props & transforms, tags, eventtypes
- Parameters
splunk_app_path (str) – Path to the Splunk App
- get_eventtypes()[source]
Parse the App configuration files & yield eventtypes
- Yields
generator of list of eventtypes
- get_props_fields()[source]
Parse the props.conf and yield all supported fields
- Yields
generator of all the supported fields
PropsParser
Provides props.conf parsing mechanism
- class standard_lib.addon_parser.props_parser.PropsParser(splunk_app_path: str)[source]
Bases:
object
Parses props.conf and extracts the fields.
- Parameters
splunk_app_path (str) – Path of the Splunk app
- static get_list_of_sources(source: str) Generator [source]
For source with | (OR), it will return all combinations. Uses itertools.product to list the combinations
Example:
input "(preA|preB)str(postX|postY)" output [ preAstrpostX preBstrpostX preAstrpostY preBstrpostY ]
- Parameters
source (str) – Source name
- Yields
generator of source name
EventtypeParser
Provides eventtypes.conf parsing mechanism
Field
Provides the Field class containing all the field properties and a decorator to convert a list to field list
- class standard_lib.addon_parser.fields.Field(field_json=None)[source]
Bases:
object
Contains the field properties
name (str): name of the field
type (str): Field type. Supported [required, conditional, optional]
expected_values (list): The field should have this expected values
negative_values (list): The field should not have negative values
condition (spl): The field should only be checked if the condition satisfies
validity (eval): eval statement to extract the valid fields only
- Parameters
field_json (dict) – dictionary containing field properties
TransformsParser
Provides transforms.conf parsing mechanism
- class standard_lib.addon_parser.transforms_parser.TransformsParser(splunk_app_path: str)[source]
Bases:
object
Parses transforms.conf and extracts fields
- Parameters
splunk_app_path (str) – Path of the Splunk app
- get_lookup_csv_fields(lookup_stanza: str) Optional[Generator] [source]
Parse the fields from a lookup file for a specific lookup_stanza
- Parameters
lookup_stanza (str) – A lookup stanza mentioned in transforms.conf
- Yields
string of field names
- get_transform_fields(transforms_stanza: str) Optional[Generator] [source]
Parse the transforms.conf of the App & yield fields of a specific stanza.
Supported extractions from transforms.conf are
SOURCE_KEY = _raw
REGEX = some regex with (capturing_group)
FIELDS = one,
- Parameters
transforms_stanza (str) – The stanza of which the fields should be extracted
- Regex:
Parse the fields from a regex. Examples:
(?<name>regex) (?'name'regex) (?P<name>regex)
- Yields
generator of fields
SavedsearchesParser
Provides savedsearches.conf parsing mechanism