All Apps and Add-ons

SNOW TA: How to use filter_data when key-value has javascript

shandr
Path Finder

Does anybody know what my inputs.conf setting for filter_data must look like for a key-value like below?

I cannot find any detailed documentation on filter_data. And see same error when I try to use URL encoding. 

[snow://pa_job_logs4_javascript]
table = pa_job_logs
filter_data = run_time>javascript:gs.getDurationDate('0 3:0:0')&sys_created_onONLast 3 months@javascript:gs.beginningOfLast3Months()@javascript:gs.endOfLast3Months()

2021-03-31 18:04:32,776 ERROR pid=22626 tid=MainThread file=snow.py:_check_filter_data:74
| Got unexpected value run_time>javascript:gs.getDurationDate('0 3:0:0')&sys_created_onONLast 3 months@javascript:gs.beginningOfLast3Months()@javascript:gs.endOfLast3Months() of 'filter_data' field for input 'pa_job_logs4_javascript'. Enter filter parameters in key1=value1&key2=value2 format. You can either change it in inputs.conf file or edit 'Filter parameters' on Inputs page.

Above table filter seems to work with the REST API Explorer in Service Now, i.e. sysparm_query=run_time....

Is there some trick to simplify it? or a work-around?
Splunk Add-on for ServiceNow version 4.0.0

Labels (1)
0 Karma
1 Solution

tscroggins
Motivator

@shandr 

Splunk_TA_snow only accepts query parameters of the form key=value.

From Splunk_TA_snow/bin/snow.py:

def valid_filter_data_format(filter_data):
    """
    Parses the filter_data string and returns True if the filter_data is of the format:
    "key1=value1&key2=value2|key3=value3"
    """
    filter_data_list = re.split(r'&|\|', filter_data)
    for filter_data_value in filter_data_list:
        try:
            filter_key, filter_value = [ field.strip() for field in filter_data_value.split("=") ]
        except ValueError:
            return False
        else:
            if any((not filter_key, not filter_value)):
                return False
    return True

This is a Splunk supported app, so your best long-term option is to open a support case. Splunk will most likely categorize the case as a feature enhancement request.

ServiceNow Paris (the latest release supported by Splunk) has a significant number of operators beyond "=" for various field types that Splunk should endeavor to support in filters: https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/common-ui-elements/referen...

In the short-term, you could rewrite the valid_filter_data_format function to pass the operators you use, but you'll want to be mindful of the impact to other parts of the code that use or interpret the filter data.

View solution in original post

tscroggins
Motivator

@shandr 

Splunk_TA_snow only accepts query parameters of the form key=value.

From Splunk_TA_snow/bin/snow.py:

def valid_filter_data_format(filter_data):
    """
    Parses the filter_data string and returns True if the filter_data is of the format:
    "key1=value1&key2=value2|key3=value3"
    """
    filter_data_list = re.split(r'&|\|', filter_data)
    for filter_data_value in filter_data_list:
        try:
            filter_key, filter_value = [ field.strip() for field in filter_data_value.split("=") ]
        except ValueError:
            return False
        else:
            if any((not filter_key, not filter_value)):
                return False
    return True

This is a Splunk supported app, so your best long-term option is to open a support case. Splunk will most likely categorize the case as a feature enhancement request.

ServiceNow Paris (the latest release supported by Splunk) has a significant number of operators beyond "=" for various field types that Splunk should endeavor to support in filters: https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/common-ui-elements/referen...

In the short-term, you could rewrite the valid_filter_data_format function to pass the operators you use, but you'll want to be mindful of the impact to other parts of the code that use or interpret the filter data.

Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...