def get_headlines_detail(self, headlines, app, user, count, earliest, severity=None, srtd=None): search_string = "" sorted_list = [] if earliest is not None: search_string = search_string + ' trigger_time > ' + str(self.get_time(earliest)) for headline in headlines: try: s = SavedSearch.get(SavedSearch.build_id(headline.alert_name, app, user)) alerts = None if s.alert.severity in severity: alerts = s.get_alerts() if alerts is not None: if len(search_string) > 0: alerts.search(search_string) for alert in alerts: h = {'message' : self.replace_tokens(headline.message, alert.sid), 'job_id' : alert.sid, 'severity' : s.alert.severity, 'count' : alert.triggered_alerts, 'time' : alert.trigger_time.strftime('%s'), 'timesince' : timesince(alert.trigger_time)} sorted_list.append(h) except Exception, ex: logger.warn('problem retreiving alerts for saved search %s' % headline.alert_name) logger.debug(ex)
def isSearchEnabled(searchName, sessionKey): try: saved_search = SavedSearch.get( SavedSearch.build_id(searchName, None, None), sessionKey) return not saved_search.is_disabled except splunk.ResourceNotFound: return None # Search was not found!
def get_headlines_detail(self, headlines, app, user, count, earliest, severity=None, srtd=None): search_string = "" sorted_list = [] if earliest is not None: search_string = search_string + ' trigger_time > ' + str( self.get_time(earliest)) for headline in headlines: try: s = SavedSearch.get( SavedSearch.build_id(headline.alert_name, app, user)) alerts = None if s.alert.severity in severity: alerts = s.get_alerts() if alerts is not None: if len(search_string) > 0: alerts.search(search_string) for alert in alerts: h = { 'message': self.replace_tokens(headline.message, alert.sid), 'job_id': alert.sid, 'severity': s.alert.severity, 'count': alert.triggered_alerts, 'time': alert.trigger_time.strftime('%s'), 'timesince': timesince(alert.trigger_time) } sorted_list.append(h) except Exception, ex: logger.warn('problem retreiving alerts for saved search %s' % headline.alert_name) logger.debug(ex)
def run(*args, **kwargs): """ This function checks for related searches that are not enabled even though the correlation search is. """ sessionKey = kwargs.get('sessionKey') correlation_searches = CorrelationSearch.all(sessionKey=sessionKey) # Determine if the search is enabled def isSearchEnabled(searchName, sessionKey): try: saved_search = SavedSearch.get( SavedSearch.build_id(searchName, None, None), sessionKey) return not saved_search.is_disabled except splunk.ResourceNotFound: return None # Search was not found! def checkRelatedSearch(main_search, related_search, sessionKey, messages): if main_search is not None: enabled = isSearchEnabled(related_search, sessionKey) # The related search could not be found if enabled is None: messages.append((logging.ERROR, MSG_RELATED_SEARCH_NOT_FOUND.format( main_search, related_search))) # The related search is disabled elif not enabled: messages.append((logging.ERROR, MSG_RELATED_SEARCH_DISABLED.format( main_search, related_search))) messages = [] # Check the related searches for each correlation search for correlation_search in correlation_searches: saved_search = None # Make sure the correlation search is enabled try: ## SOLNESS-9934: using owner='nobody' to mitigate false positives as a result of owner differences saved_search = SavedSearch.get( SavedSearch.build_id(correlation_search.name, correlation_search.namespace, 'nobody'), sessionKey) except splunk.ResourceNotFound: ## SOLNESS-7123: Adding exception for the manual notable event correlation search entry if correlation_search.name != "Manual Notable Event - Rule": # Possibly an orphaned correlationsearches.conf stanza. messages.append( (logging.ERROR, MSG_CORRELATION_SEARCH_ERR.format( correlation_search.name, correlation_search.namespace, SEARCHLINK_CORRELATION_SEARCH_ERR))) if saved_search and not saved_search.is_disabled: # If the search is enabled, check the related searches to make sure they are enabled too for i in ['', '_0', '_1', '_2', '_3', '_4']: if getattr(correlation_search, 'related_search_name' + i) is not None: checkRelatedSearch( correlation_search.name, getattr(correlation_search, 'related_search_name' + i), sessionKey, messages) return messages