All Apps and Add-ons

SNOW TA: How to use filter_data when key-value has javascript

shandr
Path Finder

Does anybody know what my inputs.conf setting for filter_data must look like for a key-value like below?

I cannot find any detailed documentation on filter_data. And see same error when I try to use URL encoding. 

[snow://pa_job_logs4_javascript]
table = pa_job_logs
filter_data = run_time>javascript:gs.getDurationDate('0 3:0:0')&sys_created_onONLast 3 months@javascript:gs.beginningOfLast3Months()@javascript:gs.endOfLast3Months()

2021-03-31 18:04:32,776 ERROR pid=22626 tid=MainThread file=snow.py:_check_filter_data:74
| Got unexpected value run_time>javascript:gs.getDurationDate('0 3:0:0')&sys_created_onONLast 3 months@javascript:gs.beginningOfLast3Months()@javascript:gs.endOfLast3Months() of 'filter_data' field for input 'pa_job_logs4_javascript'. Enter filter parameters in key1=value1&key2=value2 format. You can either change it in inputs.conf file or edit 'Filter parameters' on Inputs page.

Above table filter seems to work with the REST API Explorer in Service Now, i.e. sysparm_query=run_time....

Is there some trick to simplify it? or a work-around?
Splunk Add-on for ServiceNow version 4.0.0

Labels (1)
0 Karma
1 Solution

tscroggins
Motivator

@shandr 

Splunk_TA_snow only accepts query parameters of the form key=value.

From Splunk_TA_snow/bin/snow.py:

def valid_filter_data_format(filter_data):
    """
    Parses the filter_data string and returns True if the filter_data is of the format:
    "key1=value1&key2=value2|key3=value3"
    """
    filter_data_list = re.split(r'&|\|', filter_data)
    for filter_data_value in filter_data_list:
        try:
            filter_key, filter_value = [ field.strip() for field in filter_data_value.split("=") ]
        except ValueError:
            return False
        else:
            if any((not filter_key, not filter_value)):
                return False
    return True

This is a Splunk supported app, so your best long-term option is to open a support case. Splunk will most likely categorize the case as a feature enhancement request.

ServiceNow Paris (the latest release supported by Splunk) has a significant number of operators beyond "=" for various field types that Splunk should endeavor to support in filters: https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/common-ui-elements/referen...

In the short-term, you could rewrite the valid_filter_data_format function to pass the operators you use, but you'll want to be mindful of the impact to other parts of the code that use or interpret the filter data.

View solution in original post

tscroggins
Motivator

@shandr 

Splunk_TA_snow only accepts query parameters of the form key=value.

From Splunk_TA_snow/bin/snow.py:

def valid_filter_data_format(filter_data):
    """
    Parses the filter_data string and returns True if the filter_data is of the format:
    "key1=value1&key2=value2|key3=value3"
    """
    filter_data_list = re.split(r'&|\|', filter_data)
    for filter_data_value in filter_data_list:
        try:
            filter_key, filter_value = [ field.strip() for field in filter_data_value.split("=") ]
        except ValueError:
            return False
        else:
            if any((not filter_key, not filter_value)):
                return False
    return True

This is a Splunk supported app, so your best long-term option is to open a support case. Splunk will most likely categorize the case as a feature enhancement request.

ServiceNow Paris (the latest release supported by Splunk) has a significant number of operators beyond "=" for various field types that Splunk should endeavor to support in filters: https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/common-ui-elements/referen...

In the short-term, you could rewrite the valid_filter_data_format function to pass the operators you use, but you'll want to be mindful of the impact to other parts of the code that use or interpret the filter data.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...