Solved: PAVO Getwatchlist Add-on - names of additional fie...

kcima · ‎10-14-2022

I am testing PAVO Getwatchlist Add-on 1.1.7 on Splunk Enterprise 9.0.0
It looks working almost fine. I need to use additional columns and set configration in getwatchlist.conf like following.

1=additional1
2=additional2
3=additional3
...

I expected that field name of additional columns become "additional1", "additional2" ... But, it became "1", "2", ...

I have tried to modify getwatchlist.py like following.

$ diff getwatchlist.py getwatchlist_fix.py
388c388
< row_holder[add_col] = self.format_value(row[int(add_col)])
---
> row_holder[add_cols[add_col]] = self.format_value(row[int(add_col)])

After that, the field names became "additional1", "additional2" ... as expected.
I am not sure which behavior is correct. But, I feel "additional1", "additional2" ... are better.

kcima · ‎11-21-2022

I have tried ver 1.2.0 and could get csv header and fields with following SPL.

| getwatchlist csv url=https://.../xx.csv

This is what I needed! Thank you so much!

View solution in original post

kcima · ‎11-21-2022

I have tried ver 1.2.0 and could get csv header and fields with following SPL.

| getwatchlist csv url=https://.../xx.csv

This is what I needed! Thank you so much!

PAVO Getwatchlist Add-on - names of additional fields?

troubleshooting

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

PAVO Getwatchlist Add-on - names of additional fields?

troubleshooting

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey