Splunk Search

custom setup.xml with restmap.conf

klee310
Communicator

Using the documentation reference from here, I am trying to create a setup screen for my application which uses both the default end-points and some custom endpoints. I'm just getting started, but i have a few questions already.

  • the stanza inside restmap.conf specify: handlerfile = MyApp_python_handler.py
    • is it a specification requirement for my python script name to follow this naming convention? or can I call this .py file anything I want?
  • i'm not quite an expert with python just yet, but can someone please explain to me the structure of a python script? for example, the last line in the sample .py file, admin.init(ConfigApp, admin.CONTEXT_NONE) Are there some type of delimiter which tells the python interpreter that this is not part of the def handleEdit from above? I'm not really accustomed to the python syntax as I come from the C# world.
  • Also another question regarding python. Is there some sort of switch/case construct (as we have in C#) for handling multiple (similar) conditions such as the one shown in the sample .py file (ex. field1, field2, field3, etc..) The reason I ask this is because for my setup file, I have just about over 20 custom fields now, and writing 20 or so if/else seems pretty ridiculous. Again, from the C# world.
  • Next I have a question regarding inputs character encoding. My clients are likely to be using some off-world encoding, and I would like to put this setting in setup file. Say a textbox for custom character encoding (ex. BIG-5). Now that the user puts this info in, what should I put into my python script to update this info? More specifically, how would I update the CHARSET key in props.conf
  • Finally, my last question is related to Splunk roles. Is there a way for my setup script to create Splunk roles? My application is intended for 3 separate roles (or types of users). I want the admin to be able install the app and run the setup the first time, and have the roles setup automatically. In this app, I will have just over 50 saved search, and about 20 alerts; and it would be great if I could also update the permissions of each role when they are created. For example, RoleA can search, save, and share; but RoleB can only share and not save, nor search. But of course I'd like this to be configurable directly from my setup screen.

Thanks in advance, I can use all the help I can get. klee310

0 Karma
1 Solution

LukeMurphey
Champion
  1. Python REST Handler Script Name: The Python script name is arbitrary
  2. Python Delimiter: Python is whitespace delimited. Make sure not to use both tabs and spaces since this cause difficult to debug parsing problems that will look fine to your editor but wrong to Python.
  3. Python Switch/case: Python does not have a switch/case statement. Instead, "if...elif...else" statements should be used instead.
  4. Customizing User Roles via Setup: You can use the REST endpoint for editing user roles. The best way to do this is to peruse the REST endpoints using a browser and playing with it until you get it right (such as https://127.0.0.1:8089/services/admin/roles which includes role information). You can set it using your Python handler and the REST endpoint. Note that you can get a session key by calling self.getSessionKey(). Alternatively, you can insert setup elements into setup.xml that use the entity of "_new" which will access the REST endpoints directly and avoid your custom setup handler entirely. See the Splunk Docs for more information.
  5. Setting the Charset in setup: You can specify the charset using your custom Python handler by writing out the appropriate entry in the conf file using the writeConf function. See below for an example. Of course, you'll want to take user input in order to determine what the stanza name should be. I hard-coded it as "host::GreekSource" in the example below.
# Add the transform
confEncoding = {}
confEncoding["CHARSET"] = "CHARSET=ISO-8859-7"

# Write out the conf file
self.writeConf("props", "host::GreekSource", confEncoding)

View solution in original post

LukeMurphey
Champion
  1. Python REST Handler Script Name: The Python script name is arbitrary
  2. Python Delimiter: Python is whitespace delimited. Make sure not to use both tabs and spaces since this cause difficult to debug parsing problems that will look fine to your editor but wrong to Python.
  3. Python Switch/case: Python does not have a switch/case statement. Instead, "if...elif...else" statements should be used instead.
  4. Customizing User Roles via Setup: You can use the REST endpoint for editing user roles. The best way to do this is to peruse the REST endpoints using a browser and playing with it until you get it right (such as https://127.0.0.1:8089/services/admin/roles which includes role information). You can set it using your Python handler and the REST endpoint. Note that you can get a session key by calling self.getSessionKey(). Alternatively, you can insert setup elements into setup.xml that use the entity of "_new" which will access the REST endpoints directly and avoid your custom setup handler entirely. See the Splunk Docs for more information.
  5. Setting the Charset in setup: You can specify the charset using your custom Python handler by writing out the appropriate entry in the conf file using the writeConf function. See below for an example. Of course, you'll want to take user input in order to determine what the stanza name should be. I hard-coded it as "host::GreekSource" in the example below.
# Add the transform
confEncoding = {}
confEncoding["CHARSET"] = "CHARSET=ISO-8859-7"

# Write out the conf file
self.writeConf("props", "host::GreekSource", confEncoding)

klee310
Communicator

thanks for the help LukeMurphey. Exactly what I was looking for.

in my setup.xml, i specify the endpoint under the block attribute. For example

can I override these values if only one of my input beneath this uses another endpoint (for example the default admin/roles endpoints)?

0 Karma

klee310
Communicator

and for the second question, regarding python delimiters, it seems there is no such thing as the ';' semicolon, like in C#. However indentation seems to make all the difference in python. Please correct me if i'm wrong. thanks

0 Karma

klee310
Communicator

ok, for the first question, handlerfile=...py can be anything... just figured that out. Was having problems earlier because of a typo in the restmap.conf (typed handleaction instead of handleraction) lol.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...