admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4fe6dbf199'
${ noResults }
Deploiement_Server/deployment-apps/DA-ITSI-CP-unix-dashboards/bin/unix/models/saved_search.py

264 lines
8.4 KiB
Raw Blame History

'''
Provides object mapping for saved search objects
'''
from splunk.models.base import SplunkAppObjModel
from splunk.models.field import Field, BoolField, StructuredField, IntField
import splunk.search.Parser as Parser
import splunk.rest as rest
import logging
logger = logging.getLogger('splunk.models.savedsearch')
class ScheduleField(StructuredField):
'''
Represents splunk scheduler configuration for saved search objects
'''
is_scheduled = BoolField('is_scheduled')
cron_schedule = Field('cron_schedule')
next_scheduled_time = Field('next_scheduled_time')
run_on_startup = BoolField('run_on_startup')
class ActionField(StructuredField):
'''
Represents the alert action configuration for saved search objects
'''
class EmailActionField(StructuredField):
'''
Represents the email alert action configuration
'''
enabled = BoolField('action.email')
format = Field()
inline = BoolField()
sendresults = BoolField()
to = Field()
subject = Field()
#TODO: use splunk.models.server_config.PDFConfig.is_enabled instead
sendpdf = BoolField()
papersize = Field()
paperorientation = Field()
class SummaryActionField(StructuredField):
'''
Represents the summary indexing configuration
'''
enabled = BoolField('action.summary_index')
_name = Field()
inline = BoolField()
class ScriptActionField(StructuredField):
'''
Represents the custom alert script action configuration
'''
enabled = BoolField('action.script')
filename = Field()
class RSSField(StructuredField):
'''
Represents the rss configuration
'''
enabled = BoolField('action.rss')
class PopulateLookupField(StructuredField):
enabled = BoolField('action.populate_lookup')
destination = Field('action.populate_lookup.dest')
email = EmailActionField()
rss = RSSField()
script = ScriptActionField()
summary_index = SummaryActionField()
populate_lookup = PopulateLookupField()
class AlertField(StructuredField):
'''
Represents the saved search alerting configuration
'''
class SuppressAlertField(StructuredField):
'''
Represents the suppression configuration for saved search alerting
configuration
'''
enabled = BoolField('alert.suppress')
period = Field()
fieldlist = Field('alert.suppress.fields')
type = Field('alert_type')
comparator = Field('alert_comparator')
threshold = Field('alert_threshold')
condition = Field('alert_condition')
suppress = SuppressAlertField()
digest_mode = BoolField()
expires = Field()
severity = Field()
fired_count = IntField('triggered_alert_count')
track = BoolField()
class DispatchField(StructuredField):
'''
Represents the splunk search dispatch parameters
'''
buckets = Field()
earliest_time = Field()
latest_time = Field()
lookups = BoolField()
max_count = Field()
max_time = Field()
reduce_freq = Field()
spawn_process = BoolField()
time_format = Field()
ttl = Field()
class UI(StructuredField):
'''
Represents the splunk UI related parameters
'''
dispatch_view = Field('request.ui_dispatch_view')
dispatch_app = Field('request.ui_dispatch_view')
display_view = Field('displayview')
vsid = Field('vsid')
class AutoSummarizeField(StructuredField):
'''
Represents the auto-summarrize related parameters
'''
enabled = BoolField('auto_summarize')
can_summarize = Field(is_mutable=False)
is_good_summarization_candidate = Field(is_mutable=False)
cron_schedule = Field()
earliest_time = Field('auto_summarize.dispatch.earliest_time')
latest_time = Field('auto_summarize.dispatch.latest_time')
timespan = Field(is_mutable=False)
class SavedSearch(SplunkAppObjModel):
'''
Represents a Splunk saved search object
'''
resource = 'saved/searches'
search = Field()
description = Field()
dispatch = DispatchField()
schedule = ScheduleField()
action = ActionField()
alert = AlertField()
is_disabled = BoolField('disabled')
ui = UI()
auto_summarize = AutoSummarizeField()
def _calc_actions_list(self):
actions_list = []
if self.action.email.enabled:
actions_list.append('email')
if self.action.script.enabled:
actions_list.append('script')
if self.action.rss.enabled:
actions_list.append('rss')
if self.action.summary_index.enabled:
actions_list.append('summary_index')
if self.action.populate_lookup.enabled:
actions_list.append('populate_lookup')
return actions_list
def _fill_entity(self, entity, fill_value=''):
super(SavedSearch, self)._fill_entity(entity, fill_value)
entity['actions'] = ' '.join(self._calc_actions_list())
# None == not set, the backend treats unset suppresison specially when saving a search
if self.alert.suppress.enabled == None:
entity['alert.suppress'] = ''
def setSummarizationDetails(self):
CAN_SUMMARIZE_KEY = 'canSummarize'
IS_GOOD_SUMMARIZATION_CANDIDATE_KEY = 'isGoodSummarizationCandidate'
earliest_time = self.dispatch.earliest_time if self.dispatch.earliest_time else '0'
logger.debug("\n\n\n In setSummarizationDetails: search: %s, earliest_time: %s \n\n\n" % (self.search, earliest_time))
if not self.search or not earliest_time:
return
# Disallow acceleration for real-time searches
if earliest_time.startswith('rt'):
return
searchStr = self.search
if not self.search.strip().startswith('|'):
searchStr = 'search ' + searchStr
try:
parsedSearch = Parser.parseSearch(str(searchStr), timeline=False, hostPath=self.metadata.host_path, sessionKey=self.metadata.sessionKey)
searchProps = parsedSearch.properties.properties
self.auto_summarize.can_summarize = CAN_SUMMARIZE_KEY in searchProps and searchProps[CAN_SUMMARIZE_KEY]
self.auto_summarize.is_good_summarization_candidate = IS_GOOD_SUMMARIZATION_CANDIDATE_KEY in searchProps and searchProps[IS_GOOD_SUMMARIZATION_CANDIDATE_KEY]
except:
self.auto_summarize.can_summarize = False
self.auto_summarize.is_good_summarization_candidate = False
def time_value(self, field):
if field is not None:
return field[:-1]
return None
def time_unit(self, field):
if field is not None and len(field)>1:
return field[-1]
return None
def is_realtime(self):
return True if str(self.dispatch.earliest_time).startswith('rt') and str(self.dispatch.latest_time).startswith('rt') else False
def get_alerts(self):
'''
Returns a SplunkQuerySet that can be used to access the alerts fired by this saved search, if no
alerts have been fired this method will return None
The SplunkQuerySet can be modified to include a search, custom ordering etc..
'''
alerts_id = self.entity.getLink('alerts')
if alerts_id == None:
return None
from splunk.models.fired_alert import FiredAlert
return FiredAlert.get_alerts(alerts_id)
def enable(self):
if not self.action_links:
return False
for item in self.action_links:
if 'enable' in item:
response, content = rest.simpleRequest(item[1],
method='POST')
if response.status == 200:
return True
return False
def disable(self):
if not self.action_links:
return False
for item in self.action_links:
if 'disable' in item:
response, content = rest.simpleRequest(item[1],
method='POST')
if response.status == 200:
return True
return False
Reference in new issue View Git Blame Copy Permalink