zulip/zerver/webhooks/splunk/view.py

# Webhooks for external integrations.
from typing import Any, Dict

from django.http import HttpRequest, HttpResponse

from zerver.decorator import webhook_view
from zerver.lib.request import REQ, has_request_variables
from zerver.lib.response import json_success
from zerver.lib.webhooks.common import check_send_webhook_message
from zerver.models import MAX_TOPIC_NAME_LENGTH, UserProfile

MESSAGE_TEMPLATE = """
Splunk alert from saved search:
* **Search**: [{search}]({link})
* **Host**: {host}
* **Source**: `{source}`
* **Raw**: `{raw}`
""".strip()


@webhook_view("Splunk")
@has_request_variables
def api_splunk_webhook(
    request: HttpRequest,
    user_profile: UserProfile,
    payload: Dict[str, Any] = REQ(argument_type="body"),
) -> HttpResponse:

    # use default values if expected data is not provided
    search_name = payload.get("search_name", "Missing search_name")
    results_link = payload.get("results_link", "Missing results_link")
    host = payload.get("result", {}).get("host", "Missing host")
    source = payload.get("result", {}).get("source", "Missing source")
    raw = payload.get("result", {}).get("_raw", "Missing _raw")

    # for the default topic, use search name but truncate if too long
    if len(search_name) >= MAX_TOPIC_NAME_LENGTH:
        topic = f"{search_name[:(MAX_TOPIC_NAME_LENGTH - 3)]}..."
    else:
        topic = search_name

    # construct the message body
    body = MESSAGE_TEMPLATE.format(
        search=search_name,
        link=results_link,
        host=host,
        source=source,
        raw=raw,
    )

    # send the message
    check_send_webhook_message(request, user_profile, topic, body)

    return json_success(request)
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00			`# Webhooks for external integrations.`
webhooks: Remove unused imports. Signed-off-by: Anders Kaseorg <andersk@mit.edu> 2019-02-02 23:53:55 +01:00			`from typing import Any, Dict`
python: Sort imports in webhooks. 2017-11-16 00:43:10 +01:00
			`from django.http import HttpRequest, HttpResponse`

webhooks: Rename api_key_only_webhook_view to webhook_view. There are no other types of webhook views; this is more concise. 2020-08-20 00:32:15 +02:00			`from zerver.decorator import webhook_view`
webhooks: Import REQ, has_request_variables from zerver.lib.request. We now import REQ and has_request_variables from zerver.lib.request, which is where these methods are defined. Fixes #7195. 2017-10-31 04:25:48 +01:00			`from zerver.lib.request import REQ, has_request_variables`
webhooks: Remove unused imports. Signed-off-by: Anders Kaseorg <andersk@mit.edu> 2019-02-02 23:53:55 +01:00			`from zerver.lib.response import json_success`
webhooks: Migrate most integrations to use check_send_webhook_message. This commit migrates all of our webhooks to use check_send_webhook_message, except the following: beeminder: Rishi wanted to wait on this one. teamcity: This one is slightly more work. yo: This one is PM-only. I am still trying to decide whether we should have a force_private argument or something in check_send_webhook_message. facebook: No point in migrating this, will be removed as part of #8433. slack: Slightly more work too with the `channel_to_topics` feature. Warrants a longer discussion. 2018-03-16 22:53:50 +01:00			`from zerver.lib.webhooks.common import check_send_webhook_message`
Rename constant to MAX_TOPIC_NAME_LENGTH. 2018-11-01 21:23:48 +01:00			`from zerver.models import MAX_TOPIC_NAME_LENGTH, UserProfile`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00
webhooks/splunk: Improve message formatting and punctuation. 2019-04-17 03:31:56 +02:00			`MESSAGE_TEMPLATE = """`
			`Splunk alert from saved search:`
			`* Search: [{search}]({link})`
			`* Host: {host}`
			* Source: `{source}`
			* Raw: `{raw}`
			`""".strip()`

python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`@webhook_view("Splunk")`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00			`@has_request_variables`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`def api_splunk_webhook(`
			`request: HttpRequest,`
			`user_profile: UserProfile,`
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`payload: Dict[str, Any] = REQ(argument_type="body"),`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`) -> HttpResponse:`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00
			`# use default values if expected data is not provided`
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`search_name = payload.get("search_name", "Missing search_name")`
			`results_link = payload.get("results_link", "Missing results_link")`
			`host = payload.get("result", {}).get("host", "Missing host")`
			`source = payload.get("result", {}).get("source", "Missing source")`
			`raw = payload.get("result", {}).get("_raw", "Missing _raw")`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00
webhooks: Migrate most integrations to use check_send_webhook_message. This commit migrates all of our webhooks to use check_send_webhook_message, except the following: beeminder: Rishi wanted to wait on this one. teamcity: This one is slightly more work. yo: This one is PM-only. I am still trying to decide whether we should have a force_private argument or something in check_send_webhook_message. facebook: No point in migrating this, will be removed as part of #8433. slack: Slightly more work too with the `channel_to_topics` feature. Warrants a longer discussion. 2018-03-16 22:53:50 +01:00			`# for the default topic, use search name but truncate if too long`
Rename constant to MAX_TOPIC_NAME_LENGTH. 2018-11-01 21:23:48 +01:00			`if len(search_name) >= MAX_TOPIC_NAME_LENGTH:`
python: Convert "".format to Python 3.6 f-strings. Generated by pyupgrade --py36-plus --keep-percent-format, but with the NamedTuple changes reverted (see commit ba7906a3c657905fa35bbcfb4e97b053f050272d, #15132). Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-09 00:25:09 +02:00			`topic = f"{search_name[:(MAX_TOPIC_NAME_LENGTH - 3)]}..."`
webhooks: Migrate most integrations to use check_send_webhook_message. This commit migrates all of our webhooks to use check_send_webhook_message, except the following: beeminder: Rishi wanted to wait on this one. teamcity: This one is slightly more work. yo: This one is PM-only. I am still trying to decide whether we should have a force_private argument or something in check_send_webhook_message. facebook: No point in migrating this, will be removed as part of #8433. slack: Slightly more work too with the `channel_to_topics` feature. Warrants a longer discussion. 2018-03-16 22:53:50 +01:00			`else:`
			`topic = search_name`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00
			`# construct the message body`
webhooks/splunk: Improve message formatting and punctuation. 2019-04-17 03:31:56 +02:00			`body = MESSAGE_TEMPLATE.format(`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`search=search_name,`
			`link=results_link,`
			`host=host,`
			`source=source,`
			`raw=raw,`
webhooks/splunk: Improve message formatting and punctuation. 2019-04-17 03:31:56 +02:00			`)`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00
			`# send the message`
webhooks: Migrate most integrations to use check_send_webhook_message. This commit migrates all of our webhooks to use check_send_webhook_message, except the following: beeminder: Rishi wanted to wait on this one. teamcity: This one is slightly more work. yo: This one is PM-only. I am still trying to decide whether we should have a force_private argument or something in check_send_webhook_message. facebook: No point in migrating this, will be removed as part of #8433. slack: Slightly more work too with the `channel_to_topics` feature. Warrants a longer discussion. 2018-03-16 22:53:50 +01:00			`check_send_webhook_message(request, user_profile, topic, body)`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00
backend: Add request as parameter to json_success. Adds request as a parameter to json_success as a refactor towards making `ignored_parameters_unsupported` functionality available for all API endpoints. Also, removes any data parameters that are an empty dict or a dict with the generic success response values. 2022-01-31 13:44:02 +01:00			`return json_success(request)`