I am testing PAVO Getwatchlist Add-on 1.1.7 on Splunk Enterprise 9.0.0
It looks working almost fine. I need to use additional columns and set configration in getwatchlist.conf like following.
1=additional1
2=additional2
3=additional3
...
I expected that field name of additional columns become "additional1", "additional2" ... But, it became "1", "2", ...
I have tried to modify getwatchlist.py like following.
$ diff getwatchlist.py getwatchlist_fix.py
388c388
< row_holder[add_col] = self.format_value(row[int(add_col)])
---
> row_holder[add_cols[add_col]] = self.format_value(row[int(add_col)])
After that, the field names became "additional1", "additional2" ... as expected.
I am not sure which behavior is correct. But, I feel "additional1", "additional2" ... are better.
I have tried ver 1.2.0 and could get csv header and fields with following SPL.
| getwatchlist csv url=https://.../xx.csv
This is what I needed! Thank you so much!
I have tried ver 1.2.0 and could get csv header and fields with following SPL.
| getwatchlist csv url=https://.../xx.csv
This is what I needed! Thank you so much!