You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
121 lines
4.2 KiB
121 lines
4.2 KiB
# Copyright (C) 2005-2024 Splunk Inc. All Rights Reserved.
|
|
|
|
import sys
|
|
|
|
# Core Splunk Imports
|
|
import splunk.rest
|
|
|
|
from splunk.clilib.bundle_paths import make_splunkhome_path
|
|
|
|
sys.path.append(make_splunkhome_path(['etc', 'apps', 'SA-ITOA', 'lib']))
|
|
import itsi_path
|
|
from itsi_py3 import _
|
|
from itsi.searches.get_kpi_search import KPISearchRetriever
|
|
from ITOA.setup_logging import getLogger4SearchCmd
|
|
|
|
logger, settings, read_results = getLogger4SearchCmd(return_all=True)
|
|
|
|
|
|
def parseArgs():
|
|
'''
|
|
Parse the arguments out, we're expecting only one argument - entity
|
|
'''
|
|
i = 1
|
|
kvargs = {}
|
|
fields = []
|
|
incomplete_kv = None
|
|
while i < len(sys.argv):
|
|
arg = sys.argv[i]
|
|
i += 1
|
|
if arg == "is_debug":
|
|
continue
|
|
else:
|
|
# We are using the fields here to match against the result set
|
|
assignment_op = arg.find("=")
|
|
'''
|
|
We have a kwarg here: It can take the following forms
|
|
key=value
|
|
key = value
|
|
key= value
|
|
key =value
|
|
ERROR Conditions
|
|
= (no other parameters)
|
|
key=
|
|
=value
|
|
QUESTIONABLE Conditions
|
|
key == value
|
|
'''
|
|
if assignment_op == -1:
|
|
if incomplete_kv is not None:
|
|
# We had an incomplete kv and now an assignment op
|
|
if incomplete_kv[:-1] not in kvargs:
|
|
kvargs[incomplete_kv[:-1]] = [arg]
|
|
elif arg not in kvargs[incomplete_kv[:-1]]:
|
|
kvargs[incomplete_kv[:-1]].append(arg)
|
|
incomplete_kv = None
|
|
continue
|
|
# No assignment character, add it to the fields list and continue
|
|
fields.append(arg)
|
|
continue
|
|
if assignment_op == 0:
|
|
# We began the string with an equals sign
|
|
if len(fields) == 0:
|
|
# This will abort our run
|
|
splunk.Intersplunk.parseError(_("Incomplete key-value pair found. Must specify a key."))
|
|
if arg.rfind("=") != 0:
|
|
splunk.Intersplunk.parseError(_("Double equal signs found. Must fix your query."))
|
|
key = fields.pop()
|
|
if len(arg) == 1:
|
|
# We have something like key = value, save this as an incomplete kv
|
|
incomplete_kv = key + arg
|
|
continue
|
|
else:
|
|
# We have something like this key =value
|
|
if key not in kvargs:
|
|
kvargs[key] = [arg[1:]]
|
|
elif arg[1:] not in kvargs[key]:
|
|
kvargs[key].append(arg[1:])
|
|
continue
|
|
if assignment_op == len(arg) - 1:
|
|
# The only equals sign was at the very end of the string
|
|
incomplete_kv = arg
|
|
continue
|
|
# The first assignment op was somewhere in the middle of the string. Check for dupes
|
|
if assignment_op != arg.rfind("="):
|
|
splunk.Intersplunk.parseError(_("Double equal signs found. Must fix your query."))
|
|
# Only one assignment operator
|
|
pargs = arg.split("=")
|
|
if pargs[0] in kvargs:
|
|
kvargs[pargs[0]].append(pargs[1])
|
|
else:
|
|
kvargs[pargs[0]] = [pargs[1]]
|
|
if incomplete_kv is not None:
|
|
splunk.Intersplunk.parseError(_("Incomplete key-value pair found. Must fix your query."))
|
|
|
|
return {'kvargs': kvargs}
|
|
|
|
|
|
args = parseArgs()
|
|
|
|
is_debug = False
|
|
kvArgsObj = args['kvargs']
|
|
if 'is_debug' in kvArgsObj:
|
|
val = kvArgsObj['is_debug']
|
|
if len(val) > 0 and val[0] == 'True':
|
|
is_debug = True
|
|
|
|
results = []
|
|
sr = None
|
|
try:
|
|
sr = KPISearchRetriever(read_results, settings, args, is_debug)
|
|
logger.error("args into command [get_kpi_search] - %s, is_debug = %s", args, is_debug)
|
|
results = sr.execute()
|
|
except Exception as e:
|
|
if sr is not None:
|
|
sr.logger.exception(e)
|
|
results = splunk.Intersplunk.generateErrorResults(e)
|
|
finally:
|
|
# Output results
|
|
sr.logger.debug(results)
|
|
splunk.Intersplunk.outputResults(results)
|