Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Splunk saved search expert bot #1666

Merged
16 commits merged into from
Dec 4, 2020
Merged

Splunk saved search expert bot #1666

16 commits merged into from
Dec 4, 2020

Conversation

creideiki
Copy link
Contributor

An expert bot that enriches events based on Splunk saved searches.

@creideiki
Copy link
Contributor Author

I have no idea how to test this functionality without a Splunk instance filled with live data, so there are currently no tests.

@creideiki
Add configuration for whether search results overwrite existing values
2d155b2 
Add a parameter `overwrite` to the Splunk expert bot, having the
same semantics as the `overwrite` argument to
intelmq.message.Message.add().
@ghost ghost added this to the 2.3.0 milestone Nov 26, 2020
@ghost ghost self-assigned this Nov 26, 2020
@ghost ghost self-requested a review November 26, 2020 13:58
@ghost ghost added component: bots feature Indicates new feature requests or new features labels Nov 26, 2020
ghost
ghost suggested changes Nov 26, 2020
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a link to Splunk documentation on saved searches to the bot docs

I have no idea how to test this functionality without a Splunk instance filled with live data, so there are currently no tests.

Yeah, that would be tricky I guess.

docs/user/bots.rst Outdated Show resolved Hide resolved
docs/user/bots.rst Outdated Show resolved Hide resolved
docs/user/bots.rst Outdated Show resolved Hide resolved
docs/user/bots.rst Outdated Show resolved Hide resolved
docs/user/bots.rst Outdated Show resolved Hide resolved
intelmq/bots/experts/splunk_saved_search/expert.py Outdated Show resolved Hide resolved
intelmq/bots/experts/splunk_saved_search/expert.py Outdated Show resolved Hide resolved
intelmq/bots/experts/splunk_saved_search/expert.py Show resolved Hide resolved
intelmq/bots/experts/splunk_saved_search/expert.py Outdated Show resolved Hide resolved
@creideiki
Copy link
Contributor Author

Please add a link to Splunk documentation on saved searches to the bot docs

Added. Note that the documentation is headlined "reports", and only mentions saved searches in passing. The terminology it uses is unclear, but a report is a presentation of the result of a saved search, with an optional schedule for running the saved search periodically.

@creideiki
Handle events without fields for search parameter
d18baa3 
If an event arrives which lacks one of the fields set as a search
parameter, log this as a warning and send the message on unmodified.
ghost
ghost suggested changes Nov 30, 2020
View reviewed changes
intelmq/bots/BOTS Outdated Show resolved Hide resolved
@ghost
Copy link

ghost commented Dec 4, 2020

Thank you very much again! :)

@ghost ghost merged commit 275dbb7 into certtools:develop Dec 4, 2020
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
Assignees
No one assigned
Labels
component: bots feature Indicates new feature requests or new features
Projects
None yet
Milestone
2.3.0
Development

Successfully merging this pull request may close these issues.
1 participant
@creideiki