cim_actions.py is out of date

[sanjay900]

I was tracing down why ModularAction.result2stash was not working correctly with mv fields, and i noted that cim_actions.py has some problems with mv fields and with locating the info.csv file for per result alerts.

One thing i did note is that this was not an issue in some other splunk apps, and i noted that Splunk_SA_CIM has a totally different version of cim_actions.py that has fixes for both of these issues.

[artemrys]

@hetangmodi-crest can you please take a look and research if we can update cim_actions.py?

[hetangmodi-crest]

Hi @sanjay900, can you please provide a use case where you have been using ModularAction.result2stash? Alternatively, for getting events from Splunk, you can use ModularAlertBase.get_events of splunktaucclib/alert_actions_base.py and to write events to Splunk, you can use ModularAction.addevents() (method definition) and ModularAction.writeevents()(method definition).

[sanjay900]

Its a very odd use case, I was replicating the event format for some events so i could generate a hash that was being used elsewhere by another addon.

In saying that though, i am just passing the dict from get_events to result2stash, and noted that that was butchering mv data, hence why i raised the issue.

For the info.csv problem, i was using the addinfo setting for result2stash and noted that that wasn't work due to it not being able to read the csv, due to it looking at the wrong path.

I ended up just changing my code to load cim_actions.py directly out of Splunk_SA_CIM and thats working perfectly.

[hetangmodi-crest]

@sanjay900, I tried a minimalist script for alert action as below, covering both the issues:

def process_event(helper, *args, **kwargs):
    events = helper.get_events()
    for event in events:
        stashed_event = helper.result2stash(result=event, addinfo=True)
        helper.log_info(f"Stashed event: {stashed_event}")

Using cim_actions.py of splunktaucclib and Splunk_SA_CIM,

• There was no error for the addinfo parameter passed in both the cases.
• I was able to see the multi value field that I created in SPL in both the cases in the log message logging the result from result2stash().

[sanjay900]

For addinfo: Were you using per result actions? That's where I saw the difference. I noted that I would see a log that stated that it could not find CSV. Can you call the addinfo function as well? What i noted is that the stash would just have the times set to Infinity which appears to be what it does if the _search_et and _search_lt are missing from the data, which they were since the info.csv wasn't being loaded.

For the MV stuff, it's a sorting problem so it might only occur if you have a field with a name starting with a capital letter. What I found was that in that case, the stash method incorrectly sorts the field before the __mv_ field, and thus it outputs the field with a newline instead of each entry separately. The version in Splunk_SA_CIM mitigates this by not relying on sorting, and instead it uses a different method to deal with mv fields.

[srv-rr-github-token]

:tada: This issue has been resolved in version 6.3.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: