AddonParser

The module provides the Add-on parsing mechanism. It can parse the knowledge objects from an Add-on’s configuration files

Supports: fields from props & transforms, tags, eventtypes

class standard_lib.addon_parser.AddonParser(splunk_app_path)[source]

Bases: object

Parse the knowledge objects from an Add-on’s configuration files. Supports: fields from props & transforms, tags, eventtypes

Parameters

splunk_app_path (str) – Path to the Splunk App

get_eventtypes()[source]

Parse the App configuration files & yield eventtypes

Yields

generator of list of eventtypes

get_props_fields()[source]

Parse the props.conf and yield all supported fields

Yields

generator of all the supported fields

get_savedsearches()[source]

Parse the App configuration files & yield searchedservices

Yields

generator of list of searchedservices

get_tags()[source]

Parse the tags.conf of the App & yield stanzas

Yields

generator of stanzas from the tags

PropsParser

Provides props.conf parsing mechanism

class standard_lib.addon_parser.props_parser.PropsParser(splunk_app_path: str)[source]

Bases: object

Parses props.conf and extracts the fields.

Parameters

splunk_app_path (str) – Path of the Splunk app

static get_list_of_sources(source: str) Generator[source]

For source with | (OR), it will return all combinations. Uses itertools.product to list the combinations

Example:

input "(preA|preB)str(postX|postY)"
output [
    preAstrpostX
    preBstrpostX
    preAstrpostY
    preBstrpostY
]
Parameters

source (str) – Source name

Yields

generator of source name

get_props_fields()[source]

Parse the props.conf and yield all supported fields

Yields

generator of all the supported fields

EventtypeParser

Provides eventtypes.conf parsing mechanism

class standard_lib.addon_parser.eventtype_parser.EventTypeParser(splunk_app_path: str)[source]

Bases: object

Parses eventtypes.conf and extracts eventtypes

Parameters

splunk_app_path (str) – Path of the Splunk app

get_eventtypes() Optional[Generator][source]

Parse the App configuration files & yield eventtypes

Yields

generator of list of eventtypes

Field

Provides the Field class containing all the field properties and a decorator to convert a list to field list

class standard_lib.addon_parser.fields.Field(field_json=None)[source]

Bases: object

Contains the field properties

  • name (str): name of the field

  • type (str): Field type. Supported [required, conditional, optional]

  • expected_values (list): The field should have this expected values

  • negative_values (list): The field should not have negative values

  • condition (spl): The field should only be checked if the condition satisfies

  • validity (eval): eval statement to extract the valid fields only

Parameters

field_json (dict) – dictionary containing field properties

classmethod parse_fields(field_list, **kwargs)[source]

Parse the fields from a list

Parameters

field_list (list) – list of field names

standard_lib.addon_parser.fields.convert_to_fields(func)[source]

Decorator to initialize the list of fields

TagsParser

Provides tags.conf parsing mechanism

class standard_lib.addon_parser.tags_parser.TagsParser(splunk_app_path: str)[source]

Bases: object

Parses tags.conf and extracts tags

Parameters

splunk_app_path (str) – Path of the Splunk app

get_tags() Optional[Generator][source]

Parse the tags.conf of the App & yield stanzas

Yields

generator of stanzas from the tags

TransformsParser

Provides transforms.conf parsing mechanism

class standard_lib.addon_parser.transforms_parser.TransformsParser(splunk_app_path: str)[source]

Bases: object

Parses transforms.conf and extracts fields

Parameters

splunk_app_path (str) – Path of the Splunk app

get_lookup_csv_fields(lookup_stanza: str) Optional[Generator][source]

Parse the fields from a lookup file for a specific lookup_stanza

Parameters

lookup_stanza (str) – A lookup stanza mentioned in transforms.conf

Yields

string of field names

get_transform_fields(transforms_stanza: str) Optional[Generator][source]

Parse the transforms.conf of the App & yield fields of a specific stanza.

Supported extractions from transforms.conf are

  • SOURCE_KEY = _raw

  • REGEX = some regex with (capturing_group)

  • FIELDS = one,

Parameters

transforms_stanza (str) – The stanza of which the fields should be extracted

Regex:

Parse the fields from a regex. Examples:

(?<name>regex)
(?'name'regex)
(?P<name>regex)
Yields

generator of fields

SavedsearchesParser

Provides savedsearches.conf parsing mechanism

class standard_lib.addon_parser.savedsearches_parser.SavedSearchParser(splunk_app_path: str)[source]

Bases: object

Parses savedsearches.conf and extracts savedsearches

Parameters

splunk_app_path (str) – Path of the Splunk app

get_savedsearches() Optional[Generator][source]

Parse the App configuration files & yield savedsearches

Yields

generator of list of savedsearches