This Splunk Technical Add-on enables you to index Jira issues by querying your Jira servers' REST API. You can control which issues to index by specifying a JQL query string.
Example:
project = SD AND status != "Canceled"
http(s)://
)(Optional) Setup a proxy to use for the requests to the Jira REST API: Configuration -> Proxy
Add your Jira issue input on the app Inputs configuration page
source
field)updated
field, the input does not use checkpoints to only index the latest data!YYYY-MM-DD hh:mm
(UTC). Default: 1 week ago. This field only applies if you DO NOT specify the updated
field in the JQL search filter!This app uses KV Store checkpoints to save the latest state of an input in order to only index updated Jira issues since the last run. This feature has been added in version 1.1.0
of this TA.
You can use the jira_issue_input_checkpointer_lookup
lookup to view the current checkpoint value(s). Example search:
| inputlookup jira_issue_input_checkpointer_lookup
| eval input_name=_key
You can easily reindex data by modifying the checkpoint value for an input. The timestamp has to be an integer in milliseconds! Example search:
| inputlookup jira_issue_input_checkpointer_lookup
| search _key="<input_name>"
| eval state="1678718462404"
| outputlookup jira_issue_input_checkpointer_lookup
Please note that checkpoints are only used if you do not specify an updated
field in your JQL!
Of course, you can also just delete and create an input to reindex data!
Version 1.1.0
added checkpoint support to the TA by adding a new field to the input called Last Updated Start Time
(last_updated_start_time
).
Your inputs will continue to work the same way after upgrading from 1.0.x
to 1.1.x
, but I highly recommend to migrate to checkpoints. There are two ways how you can do this:
updated
timestamps from the input. You can disable and enable an input to make it run manually. After that, you can just edit your inputs and remove filters for the updated
field from your JQL. This will make sure that the input now uses the checkpoint for data retrieval.Last Updated Start Time
field to the last time the old input was running. Remove filters for the updated
field from your JQL.This TA includes a workaround for JRASERVER-34746, which means you can use the worklog
field to fetch all worklogs.
splunk.lic
splunkbase.credentials
in the root of this repository and add working Splunkbase credentials in it (hint: BugMeNot):SPLUNKBASE_USERNAME=<username>
SPLUNKBASE_PASSWORD=<password>
docker compose up [-d]
Please make sure that files outside of the bin/
and appserver/controllers
directory do not have execute permissions and are not .exe
files. Splunk recommends 644
for all app files outside of the bin/
directory, 644
for scripts within the bin/
directory that are invoked using an interpreter (e.g. python my_script.py
or sh my_script.sh
), and 755
for scripts within the bin/
directory that are invoked directly (e.g. ./my_script.sh
or ./my_script
). Here's a snippet that ensures that file permissions are correct:
sudo find TA-jira_issue_input -type d -exec chmod 755 {} +
sudo find TA-jira_issue_input -type f -exec chmod 644 {} +
sudo find TA-jira_issue_input/bin/ -type f -name "*.exe" -exec chmod 755 {} +
More infos: Splunk AppInspect check criteria