Splunk Search

custom setup.xml with restmap.conf

klee310
Communicator

Using the documentation reference from here, I am trying to create a setup screen for my application which uses both the default end-points and some custom endpoints. I'm just getting started, but i have a few questions already.

  • the stanza inside restmap.conf specify: handlerfile = MyApp_python_handler.py
    • is it a specification requirement for my python script name to follow this naming convention? or can I call this .py file anything I want?
  • i'm not quite an expert with python just yet, but can someone please explain to me the structure of a python script? for example, the last line in the sample .py file, admin.init(ConfigApp, admin.CONTEXT_NONE) Are there some type of delimiter which tells the python interpreter that this is not part of the def handleEdit from above? I'm not really accustomed to the python syntax as I come from the C# world.
  • Also another question regarding python. Is there some sort of switch/case construct (as we have in C#) for handling multiple (similar) conditions such as the one shown in the sample .py file (ex. field1, field2, field3, etc..) The reason I ask this is because for my setup file, I have just about over 20 custom fields now, and writing 20 or so if/else seems pretty ridiculous. Again, from the C# world.
  • Next I have a question regarding inputs character encoding. My clients are likely to be using some off-world encoding, and I would like to put this setting in setup file. Say a textbox for custom character encoding (ex. BIG-5). Now that the user puts this info in, what should I put into my python script to update this info? More specifically, how would I update the CHARSET key in props.conf
  • Finally, my last question is related to Splunk roles. Is there a way for my setup script to create Splunk roles? My application is intended for 3 separate roles (or types of users). I want the admin to be able install the app and run the setup the first time, and have the roles setup automatically. In this app, I will have just over 50 saved search, and about 20 alerts; and it would be great if I could also update the permissions of each role when they are created. For example, RoleA can search, save, and share; but RoleB can only share and not save, nor search. But of course I'd like this to be configurable directly from my setup screen.

Thanks in advance, I can use all the help I can get. klee310

0 Karma
1 Solution

LukeMurphey
Champion
  1. Python REST Handler Script Name: The Python script name is arbitrary
  2. Python Delimiter: Python is whitespace delimited. Make sure not to use both tabs and spaces since this cause difficult to debug parsing problems that will look fine to your editor but wrong to Python.
  3. Python Switch/case: Python does not have a switch/case statement. Instead, "if...elif...else" statements should be used instead.
  4. Customizing User Roles via Setup: You can use the REST endpoint for editing user roles. The best way to do this is to peruse the REST endpoints using a browser and playing with it until you get it right (such as https://127.0.0.1:8089/services/admin/roles which includes role information). You can set it using your Python handler and the REST endpoint. Note that you can get a session key by calling self.getSessionKey(). Alternatively, you can insert setup elements into setup.xml that use the entity of "_new" which will access the REST endpoints directly and avoid your custom setup handler entirely. See the Splunk Docs for more information.
  5. Setting the Charset in setup: You can specify the charset using your custom Python handler by writing out the appropriate entry in the conf file using the writeConf function. See below for an example. Of course, you'll want to take user input in order to determine what the stanza name should be. I hard-coded it as "host::GreekSource" in the example below.
# Add the transform
confEncoding = {}
confEncoding["CHARSET"] = "CHARSET=ISO-8859-7"

# Write out the conf file
self.writeConf("props", "host::GreekSource", confEncoding)

View solution in original post

LukeMurphey
Champion
  1. Python REST Handler Script Name: The Python script name is arbitrary
  2. Python Delimiter: Python is whitespace delimited. Make sure not to use both tabs and spaces since this cause difficult to debug parsing problems that will look fine to your editor but wrong to Python.
  3. Python Switch/case: Python does not have a switch/case statement. Instead, "if...elif...else" statements should be used instead.
  4. Customizing User Roles via Setup: You can use the REST endpoint for editing user roles. The best way to do this is to peruse the REST endpoints using a browser and playing with it until you get it right (such as https://127.0.0.1:8089/services/admin/roles which includes role information). You can set it using your Python handler and the REST endpoint. Note that you can get a session key by calling self.getSessionKey(). Alternatively, you can insert setup elements into setup.xml that use the entity of "_new" which will access the REST endpoints directly and avoid your custom setup handler entirely. See the Splunk Docs for more information.
  5. Setting the Charset in setup: You can specify the charset using your custom Python handler by writing out the appropriate entry in the conf file using the writeConf function. See below for an example. Of course, you'll want to take user input in order to determine what the stanza name should be. I hard-coded it as "host::GreekSource" in the example below.
# Add the transform
confEncoding = {}
confEncoding["CHARSET"] = "CHARSET=ISO-8859-7"

# Write out the conf file
self.writeConf("props", "host::GreekSource", confEncoding)

klee310
Communicator

thanks for the help LukeMurphey. Exactly what I was looking for.

in my setup.xml, i specify the endpoint under the block attribute. For example

can I override these values if only one of my input beneath this uses another endpoint (for example the default admin/roles endpoints)?

0 Karma

klee310
Communicator

and for the second question, regarding python delimiters, it seems there is no such thing as the ';' semicolon, like in C#. However indentation seems to make all the difference in python. Please correct me if i'm wrong. thanks

0 Karma

klee310
Communicator

ok, for the first question, handlerfile=...py can be anything... just figured that out. Was having problems earlier because of a typo in the restmap.conf (typed handleaction instead of handleraction) lol.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...