Closed sanjay900 closed 2 months ago
@hetangmodi-crest can you please take a look and research if we can update cim_actions.py
?
Hi @sanjay900, can you please provide a use case where you have been using ModularAction.result2stash
?
Alternatively, for getting events from Splunk, you can use ModularAlertBase.get_events
of splunktaucclib/alert_actions_base.py
and to write events to Splunk, you can use ModularAction.addevents()
(method definition) and ModularAction.writeevents()
(method definition).
Its a very odd use case, I was replicating the event format for some events so i could generate a hash that was being used elsewhere by another addon.
In saying that though, i am just passing the dict from get_events
to result2stash
, and noted that that was butchering mv data, hence why i raised the issue.
For the info.csv problem, i was using the addinfo
setting for result2stash
and noted that that wasn't work due to it not being able to read the csv, due to it looking at the wrong path.
I ended up just changing my code to load cim_actions.py
directly out of Splunk_SA_CIM
and thats working perfectly.
@sanjay900, I tried a minimalist script for alert action as below, covering both the issues:
def process_event(helper, *args, **kwargs):
events = helper.get_events()
for event in events:
stashed_event = helper.result2stash(result=event, addinfo=True)
helper.log_info(f"Stashed event: {stashed_event}")
Using cim_actions.py
of splunktaucclib
and Splunk_SA_CIM
,
addinfo
parameter passed in both the cases.result2stash()
.For addinfo:
Were you using per result
actions? That's where I saw the difference.
I noted that I would see a log that stated that it could not find CSV. Can you call the addinfo
function as well?
What i noted is that the stash would just have the times set to Infinity
which appears to be what it does if the _search_et
and _search_lt
are missing from the data, which they were since the info.csv
wasn't being loaded.
For the MV stuff, it's a sorting problem so it might only occur if you have a field with a name starting with a capital letter. What I found was that in that case, the stash method incorrectly sorts the field before the __mv_
field, and thus it outputs the field with a newline instead of each entry separately. The version in Splunk_SA_CIM
mitigates this by not relying on sorting, and instead it uses a different method to deal with mv fields.
:tada: This issue has been resolved in version 6.3.0 :tada:
The release is available on GitHub release
Your semantic-release bot :package::rocket:
I was tracing down why
ModularAction.result2stash
was not working correctly withmv
fields, and i noted thatcim_actions.py
has some problems with mv fields and with locating theinfo.csv
file for per result alerts.One thing i did note is that this was not an issue in some other splunk apps, and i noted that
Splunk_SA_CIM
has a totally different version ofcim_actions.py
that has fixes for both of these issues.