Resolved.
1) If you change the name of the Application to meet your organization's naming standards, make sure you change the jira.py line 84 to this:
return "your_name_here"
2) You don't need the modinput. this whole piece can be commented out of lib/modinput_wrapper/base_modinput.py:
try:
self.setup_util_module = importlib.import_module(self.namespace + "_setup_util")
except ImportError as ie:
self.logger.info("Can not import package:" +
self.namespace + "_setup_util")
3) The Python script appends "and updated > -5m" to the JQL, (5m is based on what inputs.conf has for interval) so make sure you wrap your JQL in ( ) so that it's treated as a complete query and the "and updated" logic gets applied after the JQL.
4) If you use the "fields" limiter in the inputs.conf, you must have "updated" in the list or the jira.py fails. Also, make sure you separate your fields with a , followed by a " " - because the split in jira.py splits based on ", "
Why it requires a space defies the logic behind csv format, but it must be there.
Field limiting and a smart JQL are a must, because otherwise a massive amount of data is returned and your Splunk queries will have to be very selective.
Many things, but this does now work in my environment.
... View more