contentctl 4.1.3__tar.gz → 4.1.4__tar.gz

{contentctl-4.1.3 → contentctl-4.1.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 4.1.3
+Version: 4.1.4
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT

{contentctl-4.1.3 → contentctl-4.1.4}/contentctl/actions/new_content.py

@@ -32,7 +32,6 @@ class NewContent:
         answers['status'] = "production" #start everything as production since that's what we INTEND the content to become   
         answers['description'] = 'UPDATE_DESCRIPTION'   
         file_name = answers['name'].replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower()
-        answers['kind'] = answers['detection_kind']
         answers['search'] = answers['detection_search'] + ' | `' + file_name + '_filter`'
         del answers['detection_search']
         answers['how_to_implement'] = 'UPDATE_HOW_TO_IMPLEMENT'

{contentctl-4.1.3 → contentctl-4.1.4}/contentctl/templates/app_template/default/app.conf

@@ -8,7 +8,6 @@ build = 16367
 
 [triggers]
 reload.analytic_stories = simple
-reload.usage_searches = simple
 reload.use_case_library = simple
 reload.correlationsearches = simple
 reload.analyticstories = simple

{contentctl-4.1.3 → contentctl-4.1.4}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "contentctl"
-version = "4.1.3"
+version = "4.1.4"
 description = "Splunk Content Control Tool"
 authors = ["STRT <research@splunk.com>"]
 license = "Apache 2.0"

contentctl-4.1.3/contentctl/templates/app_template/default/usage_searches.conf

@@ -1,73 +0,0 @@
-[escu-metrics-usage]
-action.email.useNSSubject = 1
-alert.digest_mode = True
-alert.suppress = 0
-alert.track = 0
-auto_summarize.dispatch.earliest_time = -1d@h
-dispatchAs = user
-search = index=_audit sourcetype="audittrail" \
-"ESCU - "\
-`comment("Find all the search names in the audittrail.")`\
-| stats count(search) by search savedsearch_name user\
-| eval usage=(if(savedsearch_name=="","Adhoc","Scheduled")) \
-`comment("If the savedsearch_name field in the audittrail is empty, the search was run adhoc. Otherwise it was run as a scheduled search")`\
-| rex field=search "\"(?<savedsearch_name>.*)\""\
-`comment("Extract the name of the search from the search string")`\
-| table savedsearch_name count(search) usage user | join savedsearch_name max=0 type=left [search sourcetype="manifests" | spath searches{} | mvexpand searches{} | spath input=searches{} | table category search_name | rename search_name as savedsearch_name | dedup savedsearch_name] | search category=*
-
-[escu-metrics-search]
-action.email.useNSSubject = 1
-alert.suppress = 0
-alert.track = 0
-auto_summarize.dispatch.earliest_time = -1d@h
-enableSched = 1
-cron_schedule = 0 0 * * *
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = -1h@h
-search = index=_audit action=search | transaction search_id maxspan=3m | search ESCU | stats sum(total_run_time) avg(total_run_time) max(total_run_time) sum(result_count)
-
-[escu-metrics-search-events]
-action.email.useNSSubject = 1
-alert.digest_mode = True
-alert.suppress = 0
-alert.track = 0
-auto_summarize.dispatch.earliest_time = -1d@h
-cron_schedule = 0 0 * * *
-enableSched = 1
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = -1h@h
-search = [search index=_audit sourcetype="audittrail" \"ESCU NOT "index=_audit" | where search !="" | dedup search_id | rex field=search "\"(?<search_name>.*)\"" | rex field=_raw "user=(?<user>[a-zA-Z0-9_\-]+)" | eval usage=if(savedsearch_name!="", "scheduled", "adhoc") | eval savedsearch_name=if(savedsearch_name != "", savedsearch_name, search_name) | table savedsearch_name search_id user _time usage | outputlookup escu_search_id.csv | table search_id] index=_audit total_run_time event_count result_count NOT "index=_audit" | lookup escu_search_id.csv search_id | stats count(savedsearch_name) AS search_count avg(total_run_time) AS search_avg_run_time sum(total_run_time) AS search_total_run_time sum(result_count) AS search_total_results earliest(_time) AS firsts latest(_time) AS lasts by savedsearch_name user usage| eval first_run=strftime(firsts, "%B %d %Y") | eval last_run=strftime(lasts, "%B %d %Y")
-
-[escu-metrics-search-longest-runtime]
-action.email.useNSSubject = 1
-alert.digest_mode = True
-alert.suppress = 0
-alert.track = 0
-auto_summarize.dispatch.earliest_time = -1d@h
-enableSched = 1
-cron_schedule = 0 0 * * *
-disabled = 1
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = -1h@h
-search = index=_* ESCU [search index=_* action=search latest=-2h earliest=-1d| transaction search_id maxspan=3m | search ESCU | stats values(total_run_time) AS run by search_id | sort -run | head 1| table search_id] | table search search_id
-
-[escu-metrics-usage-search]
-action.email.useNSSubject = 1
-alert.digest_mode = True
-alert.suppress = 0
-alert.track = 0
-auto_summarize.dispatch.earliest_time = -1d@h
-cron_schedule = 0 0 * * *
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = -1h@h
-enableSched = 1
-dispatchAs = user
-search = index=_audit sourcetype="audittrail" \
-"ESCU - "\
-`comment("Find all the search names in the audittrail. Ignore the last few minutes so we can exclude this search's text from the result.")`\
-| stats count(search) by search savedsearch_name user\
-| eval usage=(if(savedsearch_name=="","Adhoc","Scheduled")) \
-`comment("If the savedsearch_name field in the audittrail is empty, the search was run adhoc. Otherwise it was run as a scheduled search")`\
-| rex field=search "\"(?<savedsearch_name>.*)\""\
-`comment("Extract the name of the search from the search string")`\
-| table savedsearch_name count(search) usage user | join savedsearch_name max=0 type=left [search sourcetype="manifests" | spath searches{} | mvexpand searches{} | spath input=searches{} | table category search_name | rename search_name as savedsearch_name | dedup savedsearch_name] | search category=*