test

Pushed by: admin
License: VX61TM6PQ25C (Trial)
Timestamp: 2026-02-19T22:58:58.349889

apps/alert_webhook/README/alert_actions.conf.spec

@@ -0,0 +1,47 @@
+[webhook]
+
+param.user_agent = <string>
+* The value of the User-Agent HTTP header that the Splunk platform sends
+  to the webhook receiver.
+* No default.
+
+enable_allowlist = <boolean>
+* Whether or not the Splunk platform alert webhook uses the webhook allowlist
+  when it performs a webhook query.
+* The webhook allowlist defines the URLs for which webhook
+  alert actions can send HTTP POST requests.
+* A value of "true" means that the webhook allowlist is turned on, and
+  that the Splunk platform lets the webhook action query against any endpoint.
+  See the CAUTION later in this description for details.
+* A value of "false" means that the webhook allowlist is turned off.
+* While this setting is valid within the alert-actions.conf file
+  within the alert_webhook app, it is also available in the
+  alert-actions.conf file in Splunk Enterprise.
+* CAUTION: Be mindful when using this setting. If you give the setting
+  a value of "true", you must also configure the 'allowlist.<name>' setting.
+  Failure to do so is a security risk, as the webhook alert action can then
+  query against any REST endpoint, including external endpoints that are not
+  in your control and could be malicious.
+* Default (for Splunk Cloud Platform): true
+* Default (for all other Splunk products including Splunk Enterprise): false
+
+allowlist.<name> = <regular expression>
+* A list of endpoints upon which the Splunk platform webhook action can query.
+* Each allowlist entry must begin with the string "allowlist." and must be
+  on its own line.
+* The <name> component of an allowlist entry can be any string, but must be
+  unique for each entry.
+* Values are regular expression strings which must match URLs which you allow
+  the webhook action to access.
+* Following is an example allowlist:
+  * allowlist.endpoint1 = ^https:\/\/10\.201\..*\/
+    * This allowlist entry lets the webhook action access URLs of endpoints that
+      begin with the string "https://10.201" and end with a forward slash (/).
+  * allowlist.endpoint2 = ^https:\/\/(.*\.|)company.com\/?.*\/
+    * This allowlist entry lets the webhook action access URLs of endpoints that
+      begin with the string "https://", contain any machine within the domain
+      "company.com", and end with a forward slash (/).
+* CAUTION: If you don't specify an allowlist after configuring the 'enable_allowlist'
+  setting with a value of "true", the Splunk platform lets the webhook
+  action query against any endpoint, which is a security risk.
+* No default.

apps/alert_webhook/README/savedsearches.conf.spec

@@ -0,0 +1,7 @@
+# Webook alert action settings
+
+action.webhook = [0|1]
+* Enable webhook action
+
+action.webhook.param.url = <string>
+* URL to send the HTTP POST request to. Must be accessible from the Splunk server.

apps/alert_webhook/bin/webhook.py

@@ -0,0 +1,59 @@
+from __future__ import annotations
+import sys
+import json
+import csv
+import gzip
+from collections import OrderedDict
+from future.moves.urllib.request import urlopen, Request
+from future.moves.urllib.error import HTTPError, URLError
+
+def send_webhook_request(url, body, user_agent=None) -> bool:
+    if url is None:
+        sys.stderr.write("ERROR No URL provided\n")
+        return False
+    sys.stderr.write("INFO Sending POST request to url=%s with size=%d bytes payload\n" % (url, len(body)))
+    sys.stderr.write("DEBUG Body: %s\n" % body)
+    try:
+        if sys.version_info >= (3, 0) and type(body) == str:
+            body = body.encode()
+        settings = {"Content-Type": "application/json"}
+        if user_agent is not None:
+            settings['User-Agent'] = user_agent
+        req = Request(url, body, settings)
+        res = urlopen(req)
+        if 200 <= res.code < 300:
+            sys.stderr.write("INFO Webhook receiver responded with HTTP status=%d\n" % res.code)
+            return True
+        else:
+            sys.stderr.write("ERROR Webhook receiver responded with HTTP status=%d\n" % res.code)
+            return False
+    except HTTPError as e:
+        sys.stderr.write("ERROR Error sending webhook request: %s\n" % e)
+    except URLError as e:
+        sys.stderr.write("ERROR Error sending webhook request: %s\n" % e)
+    except ValueError as e:
+        sys.stderr.write("ERROR Invalid URL: %s\n" % e)
+    return False
+
+
+if __name__ == "__main__":
+    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
+        sys.stderr.write("FATAL Unsupported execution mode (expected --execute flag)\n")
+        sys.exit(1)
+    try:
+        settings = json.loads(sys.stdin.read())
+        url = settings['configuration'].get('url')
+        body = OrderedDict(
+            sid=settings.get('sid'),
+            search_name=settings.get('search_name'),
+            app=settings.get('app'),
+            owner=settings.get('owner'),
+            results_link=settings.get('results_link'),
+            result=settings.get('result')
+        )
+        user_agent = settings['configuration'].get('user_agent', 'Splunk')
+        if not send_webhook_request(url, json.dumps(body), user_agent=user_agent):
+            sys.exit(2)
+    except Exception as e:
+        sys.stderr.write("ERROR Unexpected error: %s\n" % e)
+        sys.exit(3)

apps/alert_webhook/default/alert_actions.conf

@@ -0,0 +1,11 @@
+[webhook]
+python.version = latest
+is_custom = 1
+label = Webhook
+description = Generic HTTP POST to a specified URL
+icon_path = webhook.png
+payload_format = json
+
+param.user_agent = Splunk/$server.guid$
+
+enable_allowlist = false

apps/alert_webhook/default/app.conf

@@ -0,0 +1,18 @@
+#   Version 10.0.2
+#
+# Splunk app configuration file
+#
+
+[ui]
+is_visible = 0
+label = Webhook Alert Action
+
+[launcher]
+author = Splunk
+description = Webhook Alert Action
+version=10.0.2
+
+[install]
+state = enabled
+is_configured = 1
+allows_disable = false

apps/alert_webhook/default/data/ui/alerts/webhook.html

@@ -0,0 +1,21 @@
+<form class="form-horizontal form-complex">
+    <div class="control-group">
+        <label class="control-label" for="webhook_url">URL</label>
+
+        <div class="controls">
+            <input type="text" class="input-xlarge" name="action.webhook.param.url" id="webhook_url" placeholder="https://your.server.com/foo/bar" />
+        </div>
+    </div>
+    <div class="control-group">
+        <div class="controls">
+            <span class="help-block" style="display: block; position: static; width: auto; margin-left: 0;">
+                Specified URL to send JSON payload via HTTP POST
+                (ex., https://your.server.com/api/v1/webhook). 
+                <br />
+                <a href="{{SPLUNKWEB_URL_PREFIX}}/help?location=learnmore.alert.action.webhook" target="_blank"
+                   title="Splunk help">Learn More <i class="icon-external"></i></a>
+                
+            </span>
+        </div>
+    </div>
+</form>

apps/alert_webhook/default/restmap.conf

@@ -0,0 +1,4 @@
+[validation:savedsearch]
+# Require url to be set if webhook action is enabled
+action.webhook = case('action.webhook' != "1", null(), 'action.webhook.param.url' == "action.webhook.param.url" OR 'action.webhook.param.url' == "", "No Webhook URL specified",  1==1, null())
+action.webhook.param.url = validate( match('action.webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid")

apps/alert_webhook/local/alert_actions.conf

@@ -0,0 +1,2 @@
+[webhook]
+

apps/alert_webhook/metadata/default.meta

@@ -0,0 +1,13 @@
+# Application-level permissions
+
+[]
+access = read : [ * ], write : [ admin, power ]
+
+[alert_actions]
+export = system
+
+[alerts]
+export = system
+
+[restmap]
+export = system

apps/introspection_generator_addon/bin/collector.path

@@ -0,0 +1 @@
+"$SPLUNK_HOME/bin/splunkd" instrument-resource-usage

apps/introspection_generator_addon/default/README

@@ -0,0 +1,17 @@
+This add-on is packaged with Splunk; it provides platform instrumentation data.
+
+This data is consumed by splunk_monitoring_console.
+
+ONLY the following configuration parameters may be modified:
+
+*  server.conf / [introspection:generator:disk_objects] / disabled
+*  server.conf / [introspection:generator:disk_objects] / acquireExtra_i_data
+*  server.conf / [introspection:generator:disk_objects] / collectionPeriodInSecs
+*  server.conf / [introspection:generator:resource_usage] / disabled
+*  server.conf / [introspection:generator:resource_usage] / acquireExtra_i_data
+*  server.conf / [introspection:generator:resource_usage] / collectionPeriodInSecs
+*  server.conf / [introspection:generator:resource_usage__iostats] / disabled
+*  server.conf / [introspection:generator:resource_usage__iostats] / collectionPeriodInSecs
+*  server.conf / [introspection:generator:resource_usage__iowait] / disabled
+
+Do NOT modify any other parameters.

apps/introspection_generator_addon/default/app.conf

@@ -0,0 +1,13 @@
+[install]
+is_configured = true
+state = enabled
+allows_disable = true
+
+[ui]
+is_visible = false
+
+[launcher]
+author = Splunk
+description = Affords and supports the Platform Instrumentation initiative.
+version = 10.0.2
+

apps/introspection_generator_addon/default/inputs.conf

@@ -0,0 +1,8 @@
+#   Version 10.0.2
+
+[monitor://$SPLUNK_HOME/var/log/introspection]
+index = _introspection
+
+[script://./bin/collector.path]
+sourcetype = splunk_resource_usage__internal
+interval = 0

apps/introspection_generator_addon/default/server.conf

@@ -0,0 +1,29 @@
+#   Version 10.0.2
+
+[introspection:generator:disk_objects]
+disabled = false
+acquireExtra_i_data = false
+collectionPeriodInSecs = 600
+
+
+[introspection:generator:resource_usage]
+disabled = false
+acquireExtra_i_data = false
+# collectionPeriodInSecs defaults to 600 (10 minutes) on UFs, 10 (1/6th of a minute) on non-UFs; this is done during packaging.
+
+
+[introspection:generator:resource_usage__iostats]
+disabled = false
+collectionPeriodInSecs = 60
+
+
+[introspection:generator:resource_usage__iowait]
+disabled = false
+
+
+[introspection:generator:kvstore]
+disabled = false
+serverStatsCollectionPeriodInSecs = 27
+collectionStatsCollectionPeriodInSecs = 600
+profilingStatsCollectionPeriodInSecs = 5
+rsStatsCollectionPeriodInSecs = 60

apps/introspection_generator_addon/metadata/default.meta

@@ -0,0 +1,2 @@
+[]
+access = read : [ admin ], write : [ admin ]

apps/journald_input/default/authorize.conf

@@ -0,0 +1,4 @@
+[capability::edit_modinput_journald]
+
+[role_admin]
+edit_modinput_journald = enabled

apps/journald_input/default/inputs.conf

@@ -0,0 +1,5 @@
+[journald]
+interval = 30
+journalctl-quiet = true
+journalctl-include-fields = PRIORITY,_SYSTEMD_UNIT,_SYSTEMD_CGROUP,_TRANSPORT,_PID,_UID,_MACHINE_ID,_GID,_COMM,_EXE
+journalctl-exclude-fields = __MONOTONIC_TIMESTAMP,__SOURCE_REALTIME_TIMESTAMP

apps/journald_input/metadata/default.meta

@@ -0,0 +1,2 @@
+[]
+access = read : [ * ], write : [ admin, power ]

apps/pusher_app_prem_prem/local/app.conf

@@ -1,2 +1,2 @@
 [launcher]
-author = JP
+author = JP-