I have a setup.xml and a myappsetup.conf all setup properly (lets make that assumption for now, still many bugs to iron out). From within myappsetup.conf, there is a field called order_transaction_min_count and I want to use this field in my searches.
For example:
search eventtype="Orders" | transaction fields="OrderNumber" | search count<order_transaction_min_count
Is this correct? Or am I missing something here?
In the past, I have achieved this functionality using macros. Just have your Python endpoint write out an entry in macros.conf:
# Add the definition
confMacro = {}
confMacro["definition"] = "10"
# Write out the conf file
self.writeConf("macros", "order_transaction_min_count", confMacro)
The resulting macros.conf should look something like (in local/macros.conf):
[order_transaction_min_count]
definition=10
Then, update your searches to use the macro:
search eventtype="Orders" | transaction fields="OrderNumber" | search count<`order_transaction_min_count`
Make sure to include a default value for the macro under the default directory (default/macros.conf) so that you can avoid a warning if the user did not override it with their own value.
thanks LukeMurphey
Actually, I have gone with another route. Instead of using macros, I wrote a custom command which reads the the configuration dictionary with:
splunk.clilib.cli_common.getConfStanza("myappconfig", "setupentity")
and also reading the first argument to my command using:
sys.argv[1]
I was able to extract the information i needed and perform the custom search within the script. so now, my final search command would look something like this:
search eventtype="Orders" | transaction fields="OrderNumber" | mycustomcommand order_transaction_min_count
Thanks for your reply anyways.
In the past, I have achieved this functionality using macros. Just have your Python endpoint write out an entry in macros.conf:
# Add the definition
confMacro = {}
confMacro["definition"] = "10"
# Write out the conf file
self.writeConf("macros", "order_transaction_min_count", confMacro)
The resulting macros.conf should look something like (in local/macros.conf):
[order_transaction_min_count]
definition=10
Then, update your searches to use the macro:
search eventtype="Orders" | transaction fields="OrderNumber" | search count<`order_transaction_min_count`
Make sure to include a default value for the macro under the default directory (default/macros.conf) so that you can avoid a warning if the user did not override it with their own value.