AddonParser¶
The module provides the Add-on parsing mechanism. It can parse the knowledge objects from an Add-on’s configuration files
Supports: fields from props & transforms, tags, eventtypes
- Dependencies:
splunk_appinspect.App: To parse the configuration files
-
class
standard_lib.addon_parser.AddonParser(splunk_app_path)[source]¶ Bases:
objectParse the knowledge objects from an Add-on’s configuration files. Supports: fields from props & transforms, tags, eventtypes
- Parameters
splunk_app_path (str) – Path to the Splunk App
-
get_eventtypes()[source]¶ Parse the App configuration files & yield eventtypes
- Yields
generator of list of eventtypes
-
get_props_fields()[source]¶ Parse the props.conf and yield all supported fields
- Yields
generator of all the supported fields
-
get_savedsearches()[source]¶ Parse the App configuration files & yield searchedservices
- Yields
generator of list of searchedservices
Parse the tags.conf of the App & yield stanzas
- Yields
generator of stanzas from the tags
PropsParser¶
Provides props.conf parsing mechanism
-
class
standard_lib.addon_parser.props_parser.PropsParser(splunk_app_path, app)[source]¶ Bases:
objectParses props.conf and extracts the fields.
- Parameters
splunk_app_path (str) – Path of the Splunk app
app (splunk_appinspect.App) – Object of Splunk app
-
get_eval_fields(props_property)[source]¶ Return the fields parsed from EVAL
Example:
EVAL-action = if(isnull(action), "unknown", action)
- Parameters
props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –
The configuration setting object of eval properties used:
name : key in the configuration settings
value : value of the respective name in the configuration
- Yields
generator of fields
-
get_extract_fields(props_property)[source]¶ Returns the fields parsed from EXTRACT
Example:
EXTRACT-one = regex with (?<capturing_group>.*)
- Parameters
props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –
The configuration setting object of EXTRACT. properties used:
name : key in the configuration settings
value : value of the respective name in the configuration
- Regex:
Parse the fields from a regex. Examples,
(?<name>regex)
(?’name’regex)
(?P<name>regex)
- Yields
generator of fields
-
get_fieldalias_fields(props_property)[source]¶ Return the fields parsed from FIELDALIAS
Example:
FIELDALIAS-class = source AS dest, sc2 AS dest2
- Parameters
props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –
The configuration setting object of FIELDALIAS properties used:
name : key in the configuration settings
value : value of the respective name in the configuration
- Regex:
Description:
Find all field alias group separated by space or comma
Examples:
field_source AS field_destination
“Field Source” as “Field Destination”
field_source ASNEW ‘Field Destination’
field_source asnew field_destination
- Yields
generator of fields
-
static
get_list_of_sources(source)[source]¶ For source with | (OR), it will return all combinations. Uses itertools.product to list the combinations
Example:
input "(preA|preB)str(postX|postY)" output [ preAstrpostX preBstrpostX preAstrpostY preBstrpostY ]
- Parameters
source (str) – Source name
- Yields
generator of source name
-
get_lookup_fields(props_property)[source]¶ Extracts the lookup fields
- Parameters
props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –
The configuration setting object of eval properties used:
name : key in the configuration settings
value : value of the respective name in the configuration
- Returns
List of lookup fields
-
get_props_fields()[source]¶ Parse the props.conf and yield all supported fields
- Yields
generator of all the supported fields
-
get_props_method(class_name)[source]¶ Get the parsing method depending on classname
- Parameters
class_name (str) – class name of the props property
- Returns
instance method to parse the property
-
get_props_stanzas()[source]¶ Parse the props.conf of the App & yield stanzas. For source with | (OR), it will return all combinations
- Yields
generator of stanzas from the props
-
get_report_fields(props_property)[source]¶ Returns the fields parsed from REPORT
In order to parse the fields REPORT, the method parses the transforms.conf and returns the list
- Parameters
props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –
The configuration setting object of REPORT. properties used:
name : key in the configuration settings
value : value of the respective name in the configuration
- Yields
generator of (transform_stanza ,fields) parsed from transforms.conf
-
get_sourcetype_assignments(props_property)[source]¶ Get the sourcetype assigned for the source
Example:
[source::/splunk/var/log/splunkd.log] sourcetype = splunkd
- Parameters
props_property (splunk_appinspect.configuration_file.ConfigurationSetting) –
The configuration setting object of REPORT. properties used:
name : key in the configuration settings
value : value of the respective name in the configuration
- Yields
the sourcetype field with possible value
-
parse_lookup_str(lookup_str)[source]¶ Get list of lookup fields by parsing the lookup string. If a field is aliased to another field, take the aliased field into consideration
Example:
LOOKUP-class = lookup_stanza input_field OUTPUT output_field
- Parameters
lookup_str (str) – Lookup string from props.conf
- Regex:
Parse the fields from the lookup string. Examples,
field1 AS field2, field3 field4 as field5
- Returns
lookup_stanza (str): The stanza name for the lookup in question in transforms.conf input_fields (list): The fields in the input of the lookup output_fields (list): The fields in the output of the lookup
- Return type
(dict)
EventtypeParser¶
Provides eventtypes.conf parsing mechanism
Field¶
Provides the Field class containing all the field properties and a decorator to convert a list to field list
-
class
standard_lib.addon_parser.fields.Field(field_json=None)[source]¶ Bases:
objectContains the field properties
name (str): name of the field
type (str): Field type. Supported [required, conditional, optional]
expected_values (list): The field should have this expected values
negative_values (list): The field should not have negative values
condition (spl): The field should only be checked if the condition satisfies
validity (eval): eval statement to extract the valid fields only
- Parameters
field_json (dict) – dictionary containing field properties
TagsParser¶
Provides tags.conf parsing mechanism
Bases:
objectParses tags.conf and extracts tags
- Parameters
splunk_app_path (str) – Path of the Splunk app
app (splunk_appinspect.App) – Object of Splunk app
Parse the tags.conf of the App & yield stanzas
- Yields
generator of stanzas from the tags
TransformsParser¶
Provides transforms.conf parsing mechanism
-
class
standard_lib.addon_parser.transforms_parser.TransformsParser(splunk_app_path, app)[source]¶ Bases:
objectParses transforms.conf and extracts fields
- Parameters
splunk_app_path (str) – Path of the Splunk app
app (splunk_appinspect.App) – Object of Splunk app
-
get_lookup_csv_fields(lookup_stanza)[source]¶ Parse the fields from a lookup file for a specific lookup_stanza
- Parameters
lookup_stanza (str) – A lookup stanza mentioned in transforms.conf
- Yields
string of field names
-
get_transform_fields(transforms_stanza)[source]¶ Parse the tranforms.conf of the App & yield fields of a specific stanza.
Supported extractions from transforms.conf are
SOURCE_KEY = _raw
REGEX = some regex with (capturing_group)
FIELDS = one,
- Parameters
transforms_stanza (str) – The stanza of which the fields should be extracted
- Regex:
Parse the fields from a regex. Examples:
(?<name>regex) (?'name'regex) (?P<name>regex)
- Yields
generator of fields
SavedsearchesParser¶
Provides savedsearches.conf parsing mechanism