AddonParser

The module provides the Add-on parsing mechanism. It can parse the knowledge objects from an Add-on’s configuration files

Supports: fields from props & transforms, tags, eventtypes

Dependencies:

splunk_appinspect.App: To parse the configuration files

class standard_lib.addon_parser.AddonParser(splunk_app_path)[source]

Bases: object

Parse the knowledge objects from an Add-on’s configuration files. Supports: fields from props & transforms, tags, eventtypes

Parameters

splunk_app_path (str) – Path to the Splunk App

get_eventtypes()[source]

Parse the App configuration files & yield eventtypes

Yields

generator of list of eventtypes

get_props_fields()[source]

Parse the props.conf and yield all supported fields

Yields

generator of all the supported fields

get_savedsearches()[source]

Parse the App configuration files & yield searchedservices

Yields

generator of list of searchedservices

get_tags()[source]

Parse the tags.conf of the App & yield stanzas

Yields

generator of stanzas from the tags

PropsParser

Provides props.conf parsing mechanism

class standard_lib.addon_parser.props_parser.PropsParser(splunk_app_path, app)[source]

Bases: object

Parses props.conf and extracts the fields.

Parameters
  • splunk_app_path (str) – Path of the Splunk app

  • app (splunk_appinspect.App) – Object of Splunk app

get_eval_fields(props_property)[source]

Return the fields parsed from EVAL

Example:

EVAL-action = if(isnull(action), "unknown", action)
Parameters

props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –

The configuration setting object of eval properties used:

  • name : key in the configuration settings

  • value : value of the respective name in the configuration

Yields

generator of fields

get_extract_fields(props_property)[source]

Returns the fields parsed from EXTRACT

Example:

EXTRACT-one = regex with (?<capturing_group>.*)
Parameters

props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –

The configuration setting object of EXTRACT. properties used:

  • name : key in the configuration settings

  • value : value of the respective name in the configuration

Regex:

Parse the fields from a regex. Examples,

  • (?<name>regex)

  • (?’name’regex)

  • (?P<name>regex)

Yields

generator of fields

get_fieldalias_fields(props_property)[source]

Return the fields parsed from FIELDALIAS

Example:

FIELDALIAS-class = source AS dest, sc2 AS dest2
Parameters

props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –

The configuration setting object of FIELDALIAS properties used:

  • name : key in the configuration settings

  • value : value of the respective name in the configuration

Regex:

Description:

  • Find all field alias group separated by space or comma

Examples:

  • field_source AS field_destination

  • “Field Source” as “Field Destination”

  • field_source ASNEW ‘Field Destination’

  • field_source asnew field_destination

Yields

generator of fields

static get_list_of_sources(source)[source]

For source with | (OR), it will return all combinations. Uses itertools.product to list the combinations

Example:

input "(preA|preB)str(postX|postY)"
output [
    preAstrpostX
    preBstrpostX
    preAstrpostY
    preBstrpostY
]
Parameters

source (str) – Source name

Yields

generator of source name

get_lookup_fields(props_property)[source]

Extracts the lookup fields

Parameters

props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –

The configuration setting object of eval properties used:

  • name : key in the configuration settings

  • value : value of the respective name in the configuration

Returns

List of lookup fields

get_props_fields()[source]

Parse the props.conf and yield all supported fields

Yields

generator of all the supported fields

get_props_method(class_name)[source]

Get the parsing method depending on classname

Parameters

class_name (str) – class name of the props property

Returns

instance method to parse the property

get_props_stanzas()[source]

Parse the props.conf of the App & yield stanzas. For source with | (OR), it will return all combinations

Yields

generator of stanzas from the props

get_report_fields(props_property)[source]

Returns the fields parsed from REPORT

In order to parse the fields REPORT, the method parses the transforms.conf and returns the list

Parameters

props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –

The configuration setting object of REPORT. properties used:

  • name : key in the configuration settings

  • value : value of the respective name in the configuration

Yields

generator of (transform_stanza ,fields) parsed from transforms.conf

get_sourcetype_assignments(props_property)[source]

Get the sourcetype assigned for the source

Example:

[source::/splunk/var/log/splunkd.log]
sourcetype = splunkd
Parameters

props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –

The configuration setting object of REPORT. properties used:

  • name : key in the configuration settings

  • value : value of the respective name in the configuration

Yields

the sourcetype field with possible value

parse_lookup_str(lookup_str)[source]

Get list of lookup fields by parsing the lookup string. If a field is aliased to another field, take the aliased field into consideration

Example:

LOOKUP-class = lookup_stanza input_field OUTPUT output_field
Parameters

lookup_str (str) – Lookup string from props.conf

Regex:

Parse the fields from the lookup string. Examples,

  • field1 AS field2, field3 field4 as field5

Returns

lookup_stanza (str): The stanza name for the lookup in question in transforms.conf input_fields (list): The fields in the input of the lookup output_fields (list): The fields in the output of the lookup

Return type

(dict)

EventtypeParser

Provides eventtypes.conf parsing mechanism

class standard_lib.addon_parser.eventtype_parser.EventTypeParser(splunk_app_path, app)[source]

Bases: object

Parses eventtypes.conf and extracts eventtypes

Parameters
  • splunk_app_path (str) – Path of the Splunk app

  • app (splunk_appinspect.App) – Object of Splunk app

get_eventtypes()[source]

Parse the App configuration files & yield eventtypes

Yields

generator of list of eventtypes

Field

Provides the Field class containing all the field properties and a decorator to convert a list to field list

class standard_lib.addon_parser.fields.Field(field_json=None)[source]

Bases: object

Contains the field properties

  • name (str): name of the field

  • type (str): Field type. Supported [required, conditional, optional]

  • expected_values (list): The field should have this expected values

  • negative_values (list): The field should not have negative values

  • condition (spl): The field should only be checked if the condition satisfies

  • validity (eval): eval statement to extract the valid fields only

Parameters

field_json (dict) – dictionary containing field properties

classmethod parse_fields(field_list, **kwargs)[source]

Parse the fields from a list

Parameters

field_list (list) – list of field names

standard_lib.addon_parser.fields.convert_to_fields(func)[source]

Decorator to initialize the list of fields

TagsParser

Provides tags.conf parsing mechanism

class standard_lib.addon_parser.tags_parser.TagsParser(splunk_app_path, app)[source]

Bases: object

Parses tags.conf and extracts tags

Parameters
  • splunk_app_path (str) – Path of the Splunk app

  • app (splunk_appinspect.App) – Object of Splunk app

get_tags()[source]

Parse the tags.conf of the App & yield stanzas

Yields

generator of stanzas from the tags

TransformsParser

Provides transforms.conf parsing mechanism

class standard_lib.addon_parser.transforms_parser.TransformsParser(splunk_app_path, app)[source]

Bases: object

Parses transforms.conf and extracts fields

Parameters
  • splunk_app_path (str) – Path of the Splunk app

  • app (splunk_appinspect.App) – Object of Splunk app

get_lookup_csv_fields(lookup_stanza)[source]

Parse the fields from a lookup file for a specific lookup_stanza

Parameters

lookup_stanza (str) – A lookup stanza mentioned in transforms.conf

Yields

string of field names

get_transform_fields(transforms_stanza)[source]

Parse the tranforms.conf of the App & yield fields of a specific stanza.

Supported extractions from transforms.conf are

  • SOURCE_KEY = _raw

  • REGEX = some regex with (capturing_group)

  • FIELDS = one,

Parameters

transforms_stanza (str) – The stanza of which the fields should be extracted

Regex:

Parse the fields from a regex. Examples:

(?<name>regex)
(?'name'regex)
(?P<name>regex)
Yields

generator of fields

SavedsearchesParser

Provides savedsearches.conf parsing mechanism

class standard_lib.addon_parser.savedsearches_parser.SavedSearchParser(splunk_app_path, app)[source]

Bases: object

Parses savedsearches.conf and extracts savedsearches

Parameters
  • splunk_app_path (str) – Path of the Splunk app

  • app (splunk_appinspect.App) – Object of Splunk app

get_savedsearches()[source]

Parse the App configuration files & yield savedsearches

Yields

generator of list of savedsearches