def main(): try: output_fields = ['_time'] output_results = [] search_results, dummyresults, settings = intersplunk.getOrganizedResults( ) if search_results is None or len(search_results) == 0: intersplunk.outputResults(output_results, fields=output_fields) return fields = search_results[0].keys() is_field_valid, is_detection_needed = check_fields(fields) if not is_field_valid: intersplunk.parseError( 'This visualization requires timestamped, evenly spaced numeric time-series data. Try using the timechart command in your query.' ) if not is_detection_needed: intersplunk.outputResults(search_results, fields=search_results[0].keys()) return output_results, output_fields = wrap_anomaly_detection(search_results) intersplunk.outputResults(output_results, fields=output_fields) except: stack = traceback.format_exc() results = intersplunk.generateErrorResults("Error : Traceback: " + str(stack)) intersplunk.outputResults(results)
def _handle_response(self, response, content): if response.status in (200, 201): resp = self._get_resp_record(content) if resp: result = self._get_result(resp) else: result = {"error": "Failed to create ticket"} self.logger.debug(result) return result else: self.logger.error("Failed to create ticket. Return code is %s. " "Reason is %s", response.status, response.reason) si.parseError("Failed to create ticket. Return code is {0}. Reason" " is {1}".format(response.status, response.reason)) return None
def _handle_response(self, response, content): if response.status in (200, 201): resp = self._get_resp_record(content) if resp: result = self._get_result(resp) else: result = {"error": "Failed to create ticket"} return result else: self.logger.error( "Failed to create ticket. Return code is %s. " "Reason is %s", response.status, response.reason) si.parseError("Failed to create ticket. Return code is {0}. Reason" " is {1}".format(response.status, response.reason)) return None
def wrap_anomaly_detection(search_results): fields = search_results[0].keys() detected_fields = list( filter(lambda x: x not in const.FILTER_FIELDS, fields)) output_count = len(search_results) - algorithm.get_train_count() output_results = [{ '_time': search_results[i + algorithm.get_train_count()]['_time'] } for i in xrange(output_count)] # initialize output output_fields = ['_time'] outlier_count = 0 for cur_field in detected_fields: output_fields += [ 'value_' + cur_field, 'outlier_' + cur_field, 'severity_' + cur_field ] try: cur_data = [ float(str(search_results[i][cur_field])) for i in xrange(len(search_results)) ] outlier_indexes, severity_array = algorithm.anomaly_detection( cur_data) severity_index = 0 outlier_count += len(outlier_indexes) for i in xrange(output_count): search_results_index = i + algorithm.get_train_count() output_results[i]['value_' + cur_field] = search_results[ search_results_index][cur_field] output_results[i][ 'outlier_' + cur_field] = search_results_index in outlier_indexes output_results[i]['severity_' + cur_field] = severity_array[ severity_index] if search_results_index in outlier_indexes else 0 if search_results_index in outlier_indexes: severity_index += 1 except ValueError: intersplunk.parseError( 'This command only supports numbers. Field %s is not numerical. ' % cur_field) if outlier_count == 0: return [], output_fields else: return output_results, output_fields
def main(): p = pdns.PDNS() # Parse arguments from splunk search opts, kwargs = Intersplunk.getKeywordsAndOptions() limit = int(kwargs.get("limit", 25)) events, _, _ = Intersplunk.getOrganizedResults() # Annotate events for event in events: value = [] for field in opts: if event.get(field): value.append(event[field]) if not value: continue query = {} answer = {} for val in value: try: for res in p.query(val, limit=limit): if res["query"] != value: query[res["query"]] = True if res["answer"] != value: answer[res["answer"]] = True except pdns.connectionError as e: Intersplunk.parseError(str(e)) return except pdns.resourceLimitExceeded as e: Intersplunk.parseError(str(e)) return if query: if "query" not in event: event["query"] = query.keys() if answer: if "answer" not in event: event["answer"] = answer.keys() Intersplunk.outputResults(events)
def parseArgs(txt): m = re.match('\s*(?:(?P<count>-?\d+)\s+)?(?P<variables>.+)', txt) if m == None: si.parseError(usage()) md = m.groupdict() counttext = md['count'] count = 1 if counttext != None: count = int(counttext) variables = md['variables'] mapping = [] matches = re.findall("(?i)\s*(?:(?P<alias>[a-z0-9_.]+)\s*[=])?\s*(?P<field>[$a-z0-9_.]+)", variables) for alias, value in matches: if value.startswith('$'): value = value[1:] elif alias == '': alias = value mapping.append((alias, value)) return count, mapping
def parseArgs(txt): m = re.match('\s*(?:(?P<count>-?\d+)\s+)?(?P<variables>.+)', txt) if m == None: si.parseError(usage()) md = m.groupdict() counttext = md['count'] count = 1 if counttext != None: count = int(counttext) variables = md['variables'] mapping = [] matches = re.findall("(?i)\s*(?:(?P<alias>[a-z0-9_]+)\s*[=])?\s*(?P<field>[$a-z0-9_]+)", variables) for alias, value in matches: if value.startswith('$'): value = value[1:] elif alias == '': alias = value mapping.append((alias, value)) return count, mapping
def main(): p = pdns.PDNS() # Parse arguments from splunk search opts, kwargs = Intersplunk.getKeywordsAndOptions() # Get limit from kwargs, but default to 25 if not specified limit = int(kwargs.get("limit", 25)) results = [] for value in opts: try: result = p.query(value, limit = limit) except pdns.connectionError as e: Intersplunk.parseError(str(e)) return except pdns.resourceLimitExceeded as e: Intersplunk.parseError(str(e)) return results += result Intersplunk.outputResults(results)
def main(): p = pdns.PDNS() # Parse arguments from splunk search opts, kwargs = Intersplunk.getKeywordsAndOptions() # Get limit from kwargs, but default to 25 if not specified limit = int(kwargs.get("limit", 25)) results = [] for value in opts: try: result = p.query(value, limit = limit) except pdns.connectionError as e: Intersplunk.parseError(str(e)) return except pdns.resourceLimitExceeded as e: Intersplunk.parseError(str(e)) return results += result Intersplunk.outputResults(results) try: main() except Exception as e: Intersplunk.parseError(traceback.format_exc())
def error(self, message): si.parseError("{0}. {1}".format(message, self.format_usage()))
def main(): try: search_results, dummyresults, settings = intersplunk.getOrganizedResults( ) session_key = settings['sessionKey'] if len(sys.argv) == 2: # update aws price info if sys.argv[1] == 'info': task = AwsInfoTask(session_key) task.execute() elif len(sys.argv) == 5: # obtain price detail region = sys.argv[1] instance_type = sys.argv[2] product_os = sys.argv[3] tenancy = sys.argv[4] on_demand_hourly, reserved_one_all_yearly, reserved_one_partial_yearly, reserved_one_partial_hourly, reserved_one_no_hourly, currency = read_price( region, instance_type, product_os, tenancy, session_key) intersplunk.outputResults([{ PRICE_ON_DEMAND_HOURLY: on_demand_hourly, PRICE_RESERVED_ONE_ALL_YEARLY: reserved_one_all_yearly, PRICE_RESERVED_ONE_PARTIAL_YEARLY: reserved_one_partial_yearly, PRICE_RESERVED_ONE_PARTIAL_HOURLY: reserved_one_partial_hourly, PRICE_RESERVED_ONE_NO_HOURLY: reserved_one_no_hourly, CURRENCY: currency }], fields=[ PRICE_ON_DEMAND_HOURLY, PRICE_RESERVED_ONE_ALL_YEARLY, PRICE_RESERVED_ONE_PARTIAL_YEARLY, PRICE_RESERVED_ONE_PARTIAL_HOURLY, PRICE_RESERVED_ONE_NO_HOURLY, CURRENCY ]) elif len(sys.argv) == 7: # calculate optimal RI, RI cost and on demand cost base = sys.argv[1] region = sys.argv[2] instance_type = sys.argv[3] purchase_option = sys.argv[4] product_os = sys.argv[5] tenancy = sys.argv[6] valid_days, message = get_valid_days_from_conf(session_key) if valid_days < 0: ri = 'N/A' ri_cost = 'N/A' instance_hours = [] on_demand_hourly = 0 currency = '$' if re.match( r'cn-.*', region) == None else '\xc2\xa5'.decode('utf8') else: history_len, instance_hours = get_instance_hours( base, search_results) # read price on_demand_hourly, reserved_one_all_yearly, reserved_one_partial_yearly, reserved_one_partial_hourly, reserved_one_no_hourly, currency = read_price( region, instance_type, product_os, tenancy, session_key) if valid_days * HOURS_OF_DAY > history_len: ri = 'N/A' ri_cost = 'N/A' message = 'It\'s required to have %d days\' data at least. You can update the setting in recommendation.conf' % ( valid_days) else: if purchase_option == 'all': ri, ri_cost, message = ri_wrap( instance_hours, on_demand_hourly, reserved_one_all_yearly / HOURS_OF_YEAR) elif purchase_option == 'partial': ri, ri_cost, message = ri_wrap( instance_hours, on_demand_hourly, reserved_one_partial_yearly / HOURS_OF_YEAR + reserved_one_partial_hourly) else: ri, ri_cost, message = ri_wrap(instance_hours, on_demand_hourly, reserved_one_no_hourly) instance_hours_len = max(1, len(instance_hours)) outputResults = [] cur_line = {} cur_line[ON_DEMAND_COST] = int( round(on_demand_hourly * sum(instance_hours) / instance_hours_len * HOURS_OF_YEAR)) # on demand cost cur_line[RI] = ri cur_line[RI_COST] = 'N/A' if ri_cost == 'N/A' else int( round(ri_cost / instance_hours_len * HOURS_OF_YEAR)) # RI cost cur_line[MESSAGE] = message cur_line[CURRENCY] = currency outputResults.append(cur_line) intersplunk.outputResults( outputResults, fields=[RI, RI_COST, ON_DEMAND_COST, MESSAGE, CURRENCY]) else: intersplunk.parseError( "Arguments should be recommendation base, AZ, instance type, purchase option, os and tenancy." ) except: stack = traceback.format_exc() results = intersplunk.generateErrorResults("Error : Traceback: " + str(stack)) intersplunk.outputResults(results)
import csv import sys import splunk.Intersplunk as intersplunk import splunk.rest as rest import urllib import json import re import collections #(isgetinfo, sys.argv) = intersplunk.isGetInfo(sys.argv) if len(sys.argv) < 2: intersplunk.parseError("Please specify a valid incident_id") #if isgetinfo: # intersplunk.outputInfo(False, False, True, False, None, True) # # outputInfo automatically calls sys.exit() stdinArgs = sys.stdin.readline() stdinArgs = stdinArgs.strip() stdinArgs = stdinArgs[11:] stdinArgs = urllib.unquote(stdinArgs).decode('utf8') match = re.search(r'<authToken>([^<]+)</authToken>', stdinArgs) sessionKey = match.group(1) incident_id = sys.argv[1] query = {} query['incident_id'] = incident_id uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incident_results?query=%s' % urllib.quote( json.dumps(query))
def _handle_error(self, msg="Failed to create ticket."): si.parseError(msg)
import csv import sys import splunk.Intersplunk as intersplunk import splunk.rest as rest import urllib import json import re import collections #(isgetinfo, sys.argv) = intersplunk.isGetInfo(sys.argv) if len(sys.argv) < 2: intersplunk.parseError("Please specify a valid incident_id") #if isgetinfo: # intersplunk.outputInfo(False, False, True, False, None, True) # # outputInfo automatically calls sys.exit() stdinArgs = sys.stdin.readline() stdinArgs = stdinArgs.strip() stdinArgs = stdinArgs[11:] stdinArgs = urllib.unquote(stdinArgs).decode('utf8') match = re.search(r'<authToken>([^<]+)</authToken>', stdinArgs) sessionKey = match.group(1) incident_id = sys.argv[1] query = {} query['incident_id'] = incident_id uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incident_results?query=%s' % urllib.quote(json.dumps(query)) serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey)
pmList.append(key) result = {} results = [] result['Placemarks'] = ', '.join(str(x) for x in pmList) results.append(result) si.outputResults(results) except Exception, e2: #stack2 = traceback.format_exc() si.generateErrorResults("Error '%s'" % e2) # Usage def usage(): si.generateErrorResults("Script usage: | kml_lookup lat=<lat> lon=<lon>") exit(-1) # Main if __name__ == '__main__': try: keywords, argvals = si.getKeywordsAndOptions() lat = argvals.get("lat", 0) lon = argvals.get("lon", 0) if not lat or not lon: usage() getPlacemarks(lat, lon) except Exception, e: raise si.parseError(e)
import csv import sys import splunk.Intersplunk as intersplunk import splunk.rest as rest import urllib import json import re import collections #(isgetinfo, sys.argv) = intersplunk.isGetInfo(sys.argv) if len(sys.argv) < 2: intersplunk.parseError("Please specify a valid risk_id") #if isgetinfo: # intersplunk.outputInfo(False, False, True, False, None, True) # # outputInfo automatically calls sys.exit() stdinArgs = sys.stdin.readline() stdinArgs = stdinArgs.strip() stdinArgs = stdinArgs[11:] stdinArgs = urllib.unquote(stdinArgs).decode('utf8') match = re.search(r'<authToken>([^<]+)</authToken>', stdinArgs) sessionKey = match.group(1) risk_id = sys.argv[1] query = {} query['risk_id'] = risk_id uri = '/servicesNS/nobody/risk_manager/storage/collections/data/risk_results?query=%s' % urllib.quote(json.dumps(query)) serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey)
# Version 4.0 import sys import splunk.Intersplunk as isp if len(sys.argv) != 3: isp.parseError( "Usage: indextimerange <earliest_time_epoch> <latest_time_epoch>") a = 0 b = 0 try: a = int(sys.argv[1]) b = int(sys.argv[2]) if (b < a): raise ValueError except: isp.parseError("Invalid earliest and/or latest epoch times") disjuncts = [] while a < b: level = 10 while a % level == 0 and (a + level) <= b: level = level * 10 level = level / 10 disjuncts.append('_indextime=%d%s' % (a / level, level > 1 and '*' or ''))
def _handle_error(self, msg): si.parseError(msg)