guilhemmarchand
commented
3 years ago Hi @Frossi92
Right, first I would say that I am glad that with all these complex structures, the JSON generation for the REST call still works just fine so I did it strong enough ;-)
What I am saying is the following, everything that's part of the Splunk search output in addition with your settings (such as the description field) are encapsulated in a JSON payload which is sent to the JIRA API during the REST call.
One of the very likely risks if you do not handle this is that some characters such as a \n will results in breaking the JSON structure leading to a failure of the REST call to JIRA.
To prevent this from happening, the Python file:
TA-jira-service-desk-simple-addon/bin/ta_jira_service_desk_simple_addon/modalert_jira_service_desk_helper.py
Uses a simple function:
# This function is required to prevent any failure due to content which we have no control on
def checkstr(i):
if i is not None:
i = i.replace("\\", "\\\\")
# Manage line breaks
i = i.replace("\n", "\\n")
i = i.replace("\r", "\\r")
# Manage tabs
i = i.replace("\t", "\\t")
# Manage breaking delimiters
i = i.replace("\"", "\\\"")
return i(and there's another one for custom fields)
So, I would potentially suspect that what you are trying to achieve might be captured by this function which espaces any of these chars which would otherwise break the JSON structure.
Again, it's a assumption, I would need to verify if I can get to the result you would want.
I believe I understand the use case, which seems potentially to make sense, usually users will more tend to have either one alert triggering to one JIRA issue with attaching the multi results as a CSV or JSON file, or one result from the Splunk table leading to one ticket issue (which by nature would not involve dealing with multiline results)
I will give it a shot to see if I can get that working.
Guilhem
Frossi92
Hello, this is a question rather than an issue. I am successfully creating new jiras using this add on, and I am able to create tables, and format the description of the jira through the description field. As I have multiple results (multiple lines, from a search set up as an alert) and I need to add them all to one ticket, I created a multifield value from splunk with all the results of my search. I then decided to create a table with these multivalue results, so I set up the spl query doing something on these lines:
| foreach * [ eval <<FIELD>>=mvjoin('<<FIELD>>',"| \\\\ | ")]or| foreach * [ eval <<FIELD>>=mvjoin('<<FIELD>>'," \n |")]As I would like the table to be created using the different results from my search, and then I print it using:
||_Time_||_Threat ID_||_Source IP_||_Source User_||_Protocol_||_Destination address_||_URL_||_Destination Port_||_Category_||_Firewall action_||_Sinkhole data_||_Alert severity_||Event count for user||_Number of users trying to connect_|| |$result.timestamp$|$result.threat_id$|$result.ip$|$result.user$|$result.app$|$result.destination$|$result.url$|$result.dest_port$|$result.category$|$result.fw_action$|$result.referer$|$result.severity$|$result.event_count$|$result.number_src_ip$|if I do not use the pipe within the for each, but only \\, \\\\ to escape it in splunk, I can go to the new line, within the table, but I cannot create a new cell and then go to the new line. The problem is that using only \\ will go to the new line for each result obtaining 1 table and many lines within the same cell, while I want 1 new cell for each of my splunk results. It's a bit tricky to explain without a table, but to make it clearer, I want to have a table created from the splunk results, where every new cell is being created in a new line, but I cannot seem to find a format that works for it, unless I create 1 only cell and go to the new line within it.
At the moment I create this, but I would like for every results to have a new cell / line, and no characters seem to work. Do you have any idea why?
This is what happen when I use "|" and new line or "|" and \\\\
While I would like this instead:
Thanks! Federica