def _recreate_service(self):
"""
Clones the current service with the same values.
It then tries to log the service in if the old one was logged in.
Called when Splunk starts.
"""
self.logger.debug("Recreating and cloning the current Service.")
_was_logged_in = self._was_logged_in()
service = self._clone_existing_service()
self._service = service
if _was_logged_in:
try:
self.login()
except AuthenticationError as autherr:
self.logger.warn(
"SDKConnector for username:{username} password:{password}"
" login failed when recreating service. error msg:{error}".
format(
username=self.username,
password=self.password,
error=autherr.message,
))
# TODO: TEMPORARY FOR EST-1859
self._server_settings_endpoint = Endpoint(self._service,
self.PATH_SERVER_SETTINGS)
def __init__(
self,
splunk,
username=None,
password=None,
namespace=None,
sharing=DEFAULT_SHARING,
owner=None,
app=None,
):
"""
Creates a new connector.
The connector will not be logged in when created so you have to manually
login.
@param splunk: The Splunk instance
@type splunk: L{..splunk.Splunk}
@param username: The username to use. If None (default)
L{Connector.DEFAULT_USERNAME} is used.
@type username: str
@param password: The password to use. If None (default)
L{Connector.DEFAULT_PASSWORD} is used.
@type password: str
@param namespace: Deprecated. user owner and app instead.
@type namespace: str
@param sharing: used by python sdk service
@type sharing: str
@param owner: used by python sdk service
@type owner: str
@param app: used by python sdk service
@type app: str
"""
super(SDKConnector, self).__init__(splunk,
username=username,
password=password,
owner=owner,
app=app)
if namespace is not None and namespace != self.namespace:
msg = ("namespace is derecated. please use owner and app. "
"Your namespace setting : %s, owner&app setting:%s" %
(namespace, self.namespace))
self.logger.error(msg)
raise Exception(msg)
self.sharing = (
sharing # accepting None value, so SDK takes owner and app blindly.
)
self._service = Service(handler=self.DEFAULT_HANDLER,
**self._service_arguments)
splunk.register_start_listener(self._recreate_service)
# TODO: TEMPORARY FOR EST-1859
self._server_settings_endpoint = Endpoint(self._service,
self.PATH_SERVER_SETTINGS)
class UpdateEpisodeCommand(StreamingCommand):
"""
Processes parts of events that match a given regular expression.
This command can be placed on the middle of a search pipeline:
.. code-block:: text
<your_search> | update_episode | <your_search>
"""
# region Command options
opt_itsi_group_id = Option(doc='''
**Syntax:** **group=***<fieldname>*
**Description:** Name of the field containing the id of the episode. Must be a valid fieldname.
**Default:** itsi_group_id''',
name='group',
require=True,
default='itsi_group_id',
validate=validators.Fieldname())
opt_itsi_policy_id = Option(doc='''
**Syntax:** **policy=***<fieldname>*
**Description:** Name of the field containing the id of the notable event aggreogation policy. Must be a valid fieldname.
**Default:** itsi_policy_id''',
name='policy',
require=True,
default='itsi_policy_id',
validate=validators.Fieldname())
opt_owner = Option(doc='''
**Syntax:** **owner=***<fieldname>*
**Description:** Name of the field containing the owner of the episode. Must be a valid fieldname.
**Default:** owner''',
name='owner',
require=False,
default=None,
validate=validators.Fieldname())
opt_severity = Option(doc='''
**Syntax:** **severity=***<fieldname>*
**Description:** Name of the field containing the severity of the episode. Must be a valid fieldname.
**Default:** current severity of the episode''',
name='severity',
require=False,
default=None,
validate=validators.Fieldname())
opt_status = Option(doc='''
**Syntax:** **status=***<fieldname>*
**Description:** Name of the field containing the status of the episode. Must be a valid fieldname.
**Default:** current status of the episode''',
name='status',
require=False,
default=None,
validate=validators.Fieldname())
opt_title = Option(doc='''
**Syntax:** **title=***<fieldname>*
**Description:** Name of the field containing the owner of the episode. Must be a valid fieldname.
**Default:** title''',
name='title',
require=False,
default=None,
validate=validators.Fieldname())
opt_description = Option(doc='''
**Syntax:** **description=***<fieldname>*
**Description:** Name of the field containing the description of the episode. Must be a valid fieldname.
**Default:** description''',
name='description',
require=False,
default=None,
validate=validators.Fieldname())
opt_break_episode = Option(doc='''
**Syntax:** **break_episode=***<fieldname>*
**Description:** Name of the field containing truthy value . Must be a valid fieldname.
**Default:** break_episode''',
name='break_episode',
require=False,
default=False,
validate=validators.Fieldname())
# endregion
# region Command implementation
def __init__(self):
super(UpdateEpisodeCommand, self).__init__()
self.logger.debug("New RUN STARTS HERE")
def prepare(self):
self.endpoint = Endpoint(
self.service,
'/servicesNS/nobody/SA-ITOA/event_management_interface/vLatest')
return
def stream(self, records):
"""
Process all events. We do not expect any of the processed
fields to be multi valued!
:param records: An iterable stream of events from the command pipeline.
:return: `None`.
"""
self.logger.debug('Entering stream.{}'.format(records))
t1 = time.time()
# Put your event transformation code here
for record in records:
self.logger.info('Record {0}'.format(record))
t2 = time.time()
itsi_group_id = record.get(self.opt_itsi_group_id)
itsi_policy_id = record.get(self.opt_itsi_policy_id)
owner = record.get(self.opt_owner)
severity = record.get(self.opt_severity)
status = record.get(self.opt_status)
title = record.get(self.opt_title)
description = record.get(self.opt_description)
break_episode = record.get(self.opt_break_episode)
record["Updated"] = "True"
self.logger.info(
'episodeupdate params are : break_episode="{}" itsi_group_id="{}" itsi_policy_id="{}" status="{}" severity="{}" owner="{}" title="{}" description="{}" username="******"'
.format(break_episode, itsi_group_id, itsi_policy_id, status,
severity, owner, title, description,
self.metadata.searchinfo.username))
"""
POST request to break episode
"""
payload = {'_key': itsi_group_id}
if title:
payload['title'] = urllib.quote(title)
if description:
payload['description'] = urllib.quote(description)
if status:
payload['status'] = status
if severity:
payload['severity'] = severity
if owner:
payload['owner'] = owner
json_payload = json.dumps(payload)
path = "notable_event_group/" + itsi_group_id
self.logger.info('1.0 path={} data={}'.format(path, json_payload))
r = None
try:
if break_episode:
if itsi_policy_id and title and description:
self.logger.info(
"breaking update will run update here")
r = self.endpoint.post(
path_segment=path,
is_partial=1,
break_group_policy_id=itsi_policy_id,
body=json_payload)
record["Updated"] = "episode broken"
else:
self.logger.error(
"No policy ID, title or description was passed can't update this episode - {}"
.format(json_payload))
record[
"Updated"] = "episode NOT broken, missing properties policy_id, title and/or description"
else:
self.logger.info("regular update will run here")
r = self.endpoint.post(path_segment=path,
is_partial=1,
body=json_payload)
record["Updated"] = "episode params updated"
if r:
self.logger.info(
'Sent POST request to update episode itsi_group_id="{}" status={}'
.format(
json.loads(r['body'].read())['_key'], r['status']))
except Exception as e:
self.logger.error('Caught exception: {}'.format(e))
t3 = time.time()
self.logger.info("Update Time is:{}".format(t3 - t2))
yield record
self.logger.info("Full update time is:{}".format(time.time() - t1))
def prepare(self):
self.endpoint = Endpoint(
self.service,
'/servicesNS/nobody/SA-ITOA/event_management_interface/vLatest')
return