zulip/zerver/webhooks/splunk/view.py

# Webhooks for external integrations.
from typing import Any, Dict, Iterable, Optional, Text

from django.http import HttpRequest, HttpResponse
from django.utils.translation import ugettext as _

from zerver.decorator import api_key_only_webhook_view
from zerver.lib.actions import check_send_stream_message
from zerver.lib.request import REQ, has_request_variables
from zerver.lib.response import json_error, json_success
from zerver.lib.validator import check_dict, check_string
from zerver.models import MAX_SUBJECT_LENGTH, UserProfile

@api_key_only_webhook_view('Splunk')
@has_request_variables
def api_splunk_webhook(request, user_profile,
                       payload=REQ(argument_type='body'), stream=REQ(default='splunk'),
                       topic=REQ(default=None)):
    # type: (HttpRequest, UserProfile, Dict[str, Any], Text, Optional[Text]) -> HttpResponse

    # use default values if expected data is not provided
    search_name = payload.get('search_name', 'Missing search_name')
    results_link = payload.get('results_link', 'Missing results_link')
    host = payload.get('result', {}).get('host', 'Missing host')
    source = payload.get('result', {}).get('source', 'Missing source')
    raw = payload.get('result', {}).get('_raw', 'Missing _raw')

    # if no topic provided, use search name but truncate if too long
    if topic is None:
        if len(search_name) >= MAX_SUBJECT_LENGTH:
            topic = "{}...".format(search_name[:(MAX_SUBJECT_LENGTH - 3)])
        else:
            topic = search_name

    # construct the message body
    body = "Splunk alert from saved search"
    body_template = ('\n[{search}]({link})\nhost: {host}'
                     '\nsource: {source}\n\nraw: {raw}')
    body += body_template.format(search = search_name, link = results_link,
                                 host = host, source = source, raw = raw)

    # send the message
    check_send_stream_message(user_profile, request.client, stream, topic, body)

    return json_success()
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00			`# Webhooks for external integrations.`
python: Sort imports in webhooks. 2017-11-16 00:43:10 +01:00			`from typing import Any, Dict, Iterable, Optional, Text`

			`from django.http import HttpRequest, HttpResponse`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00			`from django.utils.translation import ugettext as _`
python: Sort imports in webhooks. 2017-11-16 00:43:10 +01:00
webhooks: Import REQ, has_request_variables from zerver.lib.request. We now import REQ and has_request_variables from zerver.lib.request, which is where these methods are defined. Fixes #7195. 2017-10-31 04:25:48 +01:00			`from zerver.decorator import api_key_only_webhook_view`
webhooks: Migrate to check_send_stream_message. This commit migrates all webhooks to use check_send_stream_message instead of check_send_message. The only two webhooks that still use check_send_message are our yo and teamcity webhooks. They both use check_send_message for private messages. 2017-09-30 04:18:16 +02:00			`from zerver.lib.actions import check_send_stream_message`
webhooks: Import REQ, has_request_variables from zerver.lib.request. We now import REQ and has_request_variables from zerver.lib.request, which is where these methods are defined. Fixes #7195. 2017-10-31 04:25:48 +01:00			`from zerver.lib.request import REQ, has_request_variables`
python: Sort imports in webhooks. 2017-11-16 00:43:10 +01:00			`from zerver.lib.response import json_error, json_success`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00			`from zerver.lib.validator import check_dict, check_string`
python: Sort imports in webhooks. 2017-11-16 00:43:10 +01:00			`from zerver.models import MAX_SUBJECT_LENGTH, UserProfile`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00
			`@api_key_only_webhook_view('Splunk')`
			`@has_request_variables`
zerver/decorator: Set request.client in api_key_only_webhook_view. Previously, api_key_only_webhook_view passed 3 positional arguments (request, user_profile, and client) into a function. However, most of our other auth decorators only pass 2 positional arguments. For the sake of consistency, we now make api_key_only_webhook_view set request.client and pass only request and user_profile as positional arguments. 2017-05-02 01:00:50 +02:00			`def api_splunk_webhook(request, user_profile,`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00			`payload=REQ(argument_type='body'), stream=REQ(default='splunk'),`
			`topic=REQ(default=None)):`
zerver/decorator: Set request.client in api_key_only_webhook_view. Previously, api_key_only_webhook_view passed 3 positional arguments (request, user_profile, and client) into a function. However, most of our other auth decorators only pass 2 positional arguments. For the sake of consistency, we now make api_key_only_webhook_view set request.client and pass only request and user_profile as positional arguments. 2017-05-02 01:00:50 +02:00			`# type: (HttpRequest, UserProfile, Dict[str, Any], Text, Optional[Text]) -> HttpResponse`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00
			`# use default values if expected data is not provided`
			`search_name = payload.get('search_name', 'Missing search_name')`
			`results_link = payload.get('results_link', 'Missing results_link')`
			`host = payload.get('result', {}).get('host', 'Missing host')`
			`source = payload.get('result', {}).get('source', 'Missing source')`
			`raw = payload.get('result', {}).get('_raw', 'Missing _raw')`

			`# if no topic provided, use search name but truncate if too long`
			`if topic is None:`
			`if len(search_name) >= MAX_SUBJECT_LENGTH:`
			`topic = "{}...".format(search_name[:(MAX_SUBJECT_LENGTH - 3)])`
			`else:`
			`topic = search_name`

			`# construct the message body`
			`body = "Splunk alert from saved search"`
			`body_template = ('\n[{search}]({link})\nhost: {host}'`
			`'\nsource: {source}\n\nraw: {raw}')`
			`body += body_template.format(search = search_name, link = results_link,`
			`host = host, source = source, raw = raw)`

			`# send the message`
webhooks: Migrate to check_send_stream_message. This commit migrates all webhooks to use check_send_stream_message instead of check_send_message. The only two webhooks that still use check_send_message are our yo and teamcity webhooks. They both use check_send_message for private messages. 2017-09-30 04:18:16 +02:00			`check_send_stream_message(user_profile, request.client, stream, topic, body)`
Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477 2017-01-26 00:37:23 +01:00
			`return json_success()`