If you want to get this app working you need to update the 2 separate pieces of the faup.py file as listed above.
The first is whether or not it is a Linux or Darwin system. The second is the logging folder. I update the faup.py on Linux to the code listed below and it works fine now. Except that the uri_resource_path will sometimes have uri_query information included. Not sure why that is just yet.
faup.py-
def where_is_faup():
# if platform.system() == "Darwin":
# return os.environ['SPLUNK_HOME'] + "/etc/apps/faup/opt/faup-darw
in"
# if platform.system() == "Linux":
# return os.environ['SPLUNK_HOME'] + "/etc/apps/faup/opt/faup-linu
x"
#
if platform.system() == "Darwin":
return os.path.join(os.path.dirname(__file__), "..","opt","faup-
darwin")
if platform.system() == "Linux":
return os.path.join(os.path.dirname(__file__), "..","opt","faup-
linux")
# I don't know, so let's trust the system
return "faup"
faup_bin = where_is_faup()
And also
def setup_logger():
"""
Setup a logger for our lookup
"""
logger = logging.getLogger('faup')
logger.setLevel(logging.DEBUG)
file_handler = logging.handlers.RotatingFileHandler('/opt/splunk/var/log/splunk/faup.log' )
formatter = logging.Formatter('%(asctime)s %(levelname)s %(message)s')
file_handler.setFormatter(formatter)
logger.addHandler(file_handler)
return logger
When running the command use
* | lookup faup url
If the url is extracted as something different, say uri, then use.
* | lookup faup url AS uri
Hopefully they can just write this into Splunk Enterprise base so we can use urlparse just as we can use urldecode.
IAN.
... View more