def get_headlines_detail(self, headlines, app, user, count, earliest, severity=None, srtd=None):
search_string = ""
sorted_list = []
if earliest is not None:
search_string = search_string + ' trigger_time > ' + str(self.get_time(earliest))
for headline in headlines:
try:
s = SavedSearch.get(SavedSearch.build_id(headline.alert_name, app, user))
alerts = None
if s.alert.severity in severity:
alerts = s.get_alerts()
if alerts is not None:
if len(search_string) > 0:
alerts.search(search_string)
for alert in alerts:
h = {'message' : self.replace_tokens(headline.message, alert.sid),
'job_id' : alert.sid,
'severity' : s.alert.severity,
'count' : alert.triggered_alerts,
'time' : alert.trigger_time.strftime('%s'),
'timesince' : timesince(alert.trigger_time)}
sorted_list.append(h)
except Exception, ex:
logger.warn('problem retreiving alerts for saved search %s' % headline.alert_name)
logger.debug(ex)
def isSearchEnabled(searchName, sessionKey):
try:
saved_search = SavedSearch.get(
SavedSearch.build_id(searchName, None, None), sessionKey)
return not saved_search.is_disabled
except splunk.ResourceNotFound:
return None # Search was not found!
def get_headlines_detail(self,
headlines,
app,
user,
count,
earliest,
severity=None,
srtd=None):
search_string = ""
sorted_list = []
if earliest is not None:
search_string = search_string + ' trigger_time > ' + str(
self.get_time(earliest))
for headline in headlines:
try:
s = SavedSearch.get(
SavedSearch.build_id(headline.alert_name, app, user))
alerts = None
if s.alert.severity in severity:
alerts = s.get_alerts()
if alerts is not None:
if len(search_string) > 0:
alerts.search(search_string)
for alert in alerts:
h = {
'message':
self.replace_tokens(headline.message, alert.sid),
'job_id':
alert.sid,
'severity':
s.alert.severity,
'count':
alert.triggered_alerts,
'time':
alert.trigger_time.strftime('%s'),
'timesince':
timesince(alert.trigger_time)
}
sorted_list.append(h)
except Exception, ex:
logger.warn('problem retreiving alerts for saved search %s' %
headline.alert_name)
logger.debug(ex)
def run(*args, **kwargs):
"""
This function checks for related searches that are not enabled even though the correlation search is.
"""
sessionKey = kwargs.get('sessionKey')
correlation_searches = CorrelationSearch.all(sessionKey=sessionKey)
# Determine if the search is enabled
def isSearchEnabled(searchName, sessionKey):
try:
saved_search = SavedSearch.get(
SavedSearch.build_id(searchName, None, None), sessionKey)
return not saved_search.is_disabled
except splunk.ResourceNotFound:
return None # Search was not found!
def checkRelatedSearch(main_search, related_search, sessionKey, messages):
if main_search is not None:
enabled = isSearchEnabled(related_search, sessionKey)
# The related search could not be found
if enabled is None:
messages.append((logging.ERROR,
MSG_RELATED_SEARCH_NOT_FOUND.format(
main_search, related_search)))
# The related search is disabled
elif not enabled:
messages.append((logging.ERROR,
MSG_RELATED_SEARCH_DISABLED.format(
main_search, related_search)))
messages = []
# Check the related searches for each correlation search
for correlation_search in correlation_searches:
saved_search = None
# Make sure the correlation search is enabled
try:
## SOLNESS-9934: using owner='nobody' to mitigate false positives as a result of owner differences
saved_search = SavedSearch.get(
SavedSearch.build_id(correlation_search.name,
correlation_search.namespace, 'nobody'),
sessionKey)
except splunk.ResourceNotFound:
## SOLNESS-7123: Adding exception for the manual notable event correlation search entry
if correlation_search.name != "Manual Notable Event - Rule":
# Possibly an orphaned correlationsearches.conf stanza.
messages.append(
(logging.ERROR,
MSG_CORRELATION_SEARCH_ERR.format(
correlation_search.name, correlation_search.namespace,
SEARCHLINK_CORRELATION_SEARCH_ERR)))
if saved_search and not saved_search.is_disabled:
# If the search is enabled, check the related searches to make sure they are enabled too
for i in ['', '_0', '_1', '_2', '_3', '_4']:
if getattr(correlation_search,
'related_search_name' + i) is not None:
checkRelatedSearch(
correlation_search.name,
getattr(correlation_search, 'related_search_name' + i),
sessionKey, messages)
return messages
