splunk 3.0.5 - new sdk (#3151)

Author: rmurray-r7

plugins/splunk/.CHECKSUM

@@ -1,7 +1,7 @@
 {
-	"spec": "3b8e2c4c8554a574bccac7b24b1cb611",
-	"manifest": "fd83cac2d710e230498e31f58e78bb35",
-	"setup": "7707e196202a60185a01a4dd69d56f83",
+	"spec": "771ddbfa431640df013578618bbe2a4f",
+	"manifest": "0476300dd94fa9ffbc21303a25b00ba4",
+	"setup": "c859cdb5d1e4b29d0d37e0c08f117c15",
 	"schemas": [
 		{
 			"identifier": "create_saved_search/schema.py",

plugins/splunk/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:5.3.2
+FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.5
 
 LABEL organization=rapid7
 LABEL sdk=python
@@ -12,7 +12,7 @@ RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
 
 ADD . /python/src
 
-RUN python setup.py build && python setup.py install
+RUN pip install .
 
 # User to run plugin code. The two supported users are: root, nobody
 USER nobody

plugins/splunk/bin/icon_splunk

@@ -6,8 +6,8 @@ from sys import argv
 
 Name = "Splunk"
 Vendor = "rapid7"
-Version = "3.0.4"
-Description = "The Splunk plugin allows you to search, monitor, and analyze machine data"
+Version = "3.0.5"
+Description = "[Splunk](https://www.splunk.com/) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. This plugin allows you to interact with Splunk by hooking alerts to trigger InsightConnect workflows, run (saved) searches, retrieve search results, and even insert data back into Splunk from a workflow"
 
 
 def main():

plugins/splunk/help.md

@@ -1,45 +1,41 @@
 # Description
 
-[Splunk](https://www.splunk.com/) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. This plugin allows you to interact with Splunk by hooking alerts to trigger InsightConnect workflows, run (saved) searches, retrieve search results, and even insert data back into Splunk from a workflow.
-
-To get Splunk alerts or send saved searches to InsightConnect, please use the [InsightConnect Splunk App](https://splunkbase.splunk.com/app/4673/).
+[Splunk](https://www.splunk.com/) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. This plugin allows you to interact with Splunk by hooking alerts to trigger InsightConnect workflows, run (saved) searches, retrieve search results, and even insert data back into Splunk from a workflow
 
 # Key Features
-  
-* Run a search query to get the results from your Splunk instance  
-* Display search results from a specified job  
-* Run, create, delete, and list saved searches to store and rerun queries over time  
-* List and modify saved search properties to view and update your reusable queries  
-* Get saved search job history to retrieve the history of a specified saved search  
+
+* Run a search query to get the results from your Splunk instance
+* Display search results from a specified job
+* Run, create, delete, and list saved searches to store and rerun queries over time
+* List and modify saved search properties to view and update your reusable queries
+* Get saved search job history to retrieve the history of a specified saved search
 * Insert events into an index to update your Splunk instance
 
 # Requirements
-  
-* Administrative credentials  
-* Splunk host IP address or hostname  
+
+* Administrative credentials
+* Splunk host IP address or hostname
 * Splunk API port
 
 # Supported Product Versions
-  
+
 * Splunk SDK 1.7.4
 
 # Documentation
 
 ## Setup
 
-To connect to Splunk, you must have valid credentials and network access to the Splunk API port (Splunk's default is TCP/8089). This plugin supports both the Free and Enterprise Splunk licenses.
+The connection configuration accepts the following parameters:  
 
-The connection configuration accepts the following parameters:
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|credentials|credential_username_password|None|False|Username and password|None|{"username":"ExampleUser","password":"ExamplePassword"}|None|None|
+|host|string|None|True|Hostname or IP address of Splunk server to connect to|None|splunk.example.com|None|None|
+|license|string|None|True|License type for Splunk host|["Enterprise", "Free"]|Free|None|None|
+|port|integer|8089|True|Port the Splunk API is listening on. Default is 8089|None|8089|None|None|
+|ssl_verify|boolean|None|True|Verify server's SSL/TLS certificate|None|True|None|None|
+|use_ssl|boolean|None|True|Whether or not to use SSL|None|True|None|None|
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|credentials|credential_username_password|None|False|Username and password|None|{"username":"ExampleUser","password":"ExamplePassword"}|
-|host|string|None|True|Hostname or IP address of Splunk server to connect to|None|splunk.example.com|
-|license|string|None|True|License type for Splunk host|["Enterprise", "Free"]|Free|
-|port|integer|8089|True|Port the Splunk API is listening on. Default is 8089|None|8089|
-|ssl_verify|boolean|None|True|Verify server's SSL/TLS certificate|None|True|
-|use_ssl|boolean|None|True|Whether or not to use SSL|None|True|
-  
 Example input:
 
 ```
@@ -62,16 +58,16 @@ Example input:
 
 
 #### Create Saved Search
-  
+
 This action is used to creates a saved search
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|properties|object|None|False|JSON object containing additional properties to save with the saved search|None|{"description":"ExampleDescription","is_scheduled":true}|
-|query|string|None|True|Search query|None|search *|
-|saved_search_name|string|None|True|Name to give to the saved search|None|ExampleSavedSearchName|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|properties|object|None|False|JSON object containing additional properties to save with the saved search|None|{"description":"ExampleDescription","is_scheduled":true}|None|None|
+|query|string|None|True|Search query|None|search *|None|None|
+|saved_search_name|string|None|True|Name to give to the saved search|None|ExampleSavedSearchName|None|None|
 
 Example input:
 
@@ -106,14 +102,14 @@ Example output:
 ```
 
 #### Delete Saved Search
-  
+
 This action is used to deletes a saved search
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|saved_search_name|string|None|True|Name of the saved search to delete|None|ExampleSavedSearchName|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|saved_search_name|string|None|True|Name of the saved search to delete|None|ExampleSavedSearchName|None|None|
 
 Example input:
 
@@ -138,15 +134,15 @@ Example output:
 ```
 
 #### Display Search Results
-  
+
 This action is used to displays the search results from a job
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|job_id|string|None|True|The Job ID to look up results for|None|12345|
-|timeout|number|None|True|Duration of time, in seconds, to wait for retrieving results|None|5|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|job_id|string|None|True|The Job ID to look up results for|None|12345|None|None|
+|timeout|number|None|True|Duration of time, in seconds, to wait for retrieving results|None|5|None|None|
 
 Example input:
 
@@ -185,14 +181,14 @@ Example output:
 ```
 
 #### Get Saved Search Job History
-  
+
 This action is used to returns the job history of a specified saved search
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|saved_search_name|string|None|True|Name of a saved search|None|ExampleSavedSearchName|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|saved_search_name|string|None|True|Name of a saved search|None|ExampleSavedSearchName|None|None|
 
 Example input:
 
@@ -232,18 +228,18 @@ Example output:
 ```
 
 #### Insert
-  
+
 This action is used to insert events into an index
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|event|string|None|True|The event to submit|None|User logged in|
-|host|string|None|False|The source host|None|example_host|
-|index|string|None|True|Name of index|None|ExampleIndexName|
-|source|string|None|False|Source of the event|None|ExampleEventSource|
-|source_type|string|None|False|The optional source type value of the event|None|ExampleEventSourceType|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|event|string|None|True|The event to submit|None|User logged in|None|None|
+|host|string|None|False|The source host|None|example_host|None|None|
+|index|string|None|True|Name of index|None|ExampleIndexName|None|None|
+|source|string|None|False|Source of the event|None|ExampleEventSource|None|None|
+|source_type|string|None|False|The optional source type value of the event|None|ExampleEventSourceType|None|None|
 
 Example input:
 
@@ -272,7 +268,7 @@ Example output:
 ```
 
 #### List Saved Searches
-  
+
 This action is used to lists all saved searches
 
 ##### Input
@@ -329,15 +325,15 @@ Example output:
 ```
 
 #### Modify Saved Search Properties
-  
+
 This action is used to modifies the properties of a saved search
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|properties|object|None|True|JSON object of properties and values to modify|None|{"description":"ExampleDescription","is_scheduled":true}|
-|saved_search_name|string|None|True|Name of saved search to display properties for|None|ExampleSavedSearchName|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|properties|object|None|True|JSON object of properties and values to modify|None|{"description":"ExampleDescription","is_scheduled":true}|None|None|
+|saved_search_name|string|None|True|Name of saved search to display properties for|None|ExampleSavedSearchName|None|None|
 
 Example input:
 
@@ -366,14 +362,14 @@ Example output:
 ```
 
 #### Run Saved Search
-  
+
 This action is used to runs a saved search
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|saved_search_name|string|None|True|Name of saved search to run|None|ExampleSavedSearchName|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|saved_search_name|string|None|True|Name of saved search to run|None|ExampleSavedSearchName|None|None|
 
 Example input:
 
@@ -398,16 +394,16 @@ Example output:
 ```
 
 #### Search
-  
+
 This action is used to run a query
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|count|integer|100|True|The maximum number of results to return. Set to 0 for unlimited results|None|100|
-|query|string|None|True|Run a search query|None|search *|
-|search_timeframe|string|None|False|The specified timeframe for the search. Default searches over all time. Separated with dash, in the form of Unix epoch timestamps, e.g. 1498824598-1598824598. If end time is left blank, it defaults to the current time|None|1598984278-1598984478|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|count|integer|100|True|The maximum number of results to return. Set to 0 for unlimited results|None|100|None|None|
+|query|string|None|True|Run a search query|None|search *|None|None|
+|search_timeframe|string|None|False|The specified timeframe for the search. Default searches over all time. Separated with dash, in the form of Unix epoch timestamps, e.g. 1498824598-1598824598. If end time is left blank, it defaults to the current time|None|1598984278-1598984478|None|None|
 
 Example input:
 
@@ -441,14 +437,14 @@ Example output:
 ```
 
 #### View Saved Search Properties
-  
+
 This action is used to returns the properties for a saved search
 
 ##### Input
 
-|Name|Type|Default|Required|Description|Enum|Example|
-| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
-|saved_search_name|string|None|True|Name of saved search to display properties for|None|ExampleSavedSearchName|
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|saved_search_name|string|None|True|Name of saved search to display properties for|None|ExampleSavedSearchName|None|None|
 
 Example input:
 
@@ -491,6 +487,7 @@ Example output:
 
 # Version History
 
+* 3.0.5 - Updated SDK to latest version (6.2.5)
 * 3.0.4 - Updated SDK to latest version | Refreshed the plugin | Added unittests | Updated packages
 * 3.0.3 - Add `search_timeframe` input to Search action
 * 3.0.2 - Fix issue with typos in help.md and plugin description
@@ -515,5 +512,4 @@ Example output:
 
 ## References
 
-* [Splunk](https://www.splunk.com/)
-* [InsightConnect Splunk App](https://splunkbase.splunk.com/app/4673/)
+* [Splunk](https://www.splunk.com/)

plugins/splunk/plugin.spec.yaml

@@ -3,8 +3,8 @@ extension: plugin
 products: [insightconnect]
 name: splunk
 title: Splunk
-description: The Splunk plugin allows you to search, monitor, and analyze machine data
-version: 3.0.4
+description: "[Splunk](https://www.splunk.com/) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. This plugin allows you to interact with Splunk by hooking alerts to trigger InsightConnect workflows, run (saved) searches, retrieve search results, and even insert data back into Splunk from a workflow"
+version: 3.0.5
 connection_version: 3
 vendor: rapid7
 support: rapid7
@@ -21,10 +21,16 @@ requirements:
   - Administrative credentials
   - Splunk host IP address or hostname
   - Splunk API port
+troubleshooting:
+  - "If issues are encountered when using the `Search` action, try prefixing your query with `search`, example: `search index=\"*\" | head 5`."
 sdk:
   type: slim
-  version: 5.3.2
+  version: 6.2.5
   user: nobody
+links:
+  - "[Splunk](https://www.splunk.com/)"
+references:
+  - "[Splunk](https://www.splunk.com/)"
 resources:
   source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/plugins/splunk
   license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE
@@ -34,6 +40,25 @@ hub_tags:
   use_cases: [threat_detection_and_response, reporting_and_analytics, data_utility, alerting_and_notifications]
   keywords: [splunk, siem, logs]
   features: []
+version_history:
+  - 3.0.5 - Updated SDK to latest version (6.2.5)
+  - 3.0.4 - Updated SDK to latest version | Refreshed the plugin | Added unittests | Updated packages
+  - 3.0.3 - Add `search_timeframe` input to Search action
+  - 3.0.2 - Fix issue with typos in help.md and plugin description
+  - 3.0.1 - New spec and help.md format for the Extension Library
+  - 3.0.0 - Remove Komand-specific Alert trigger | Fix invalid output properties | Numerous typographical fixes | Improve error handling | Smaller plugin size due to slim SDK migration | New connection test code
+  - 2.0.0 - Support SSL Verify option in the Connection | Improve error handling in Connection | Update documentation
+  - 1.1.0 - Add support for user specified number of results in the Search action
+  - 1.0.1 - Fix issue where JSON module was not imported in Search action
+  - 1.0.0 - Update to v2 Python plugin architecture | Support web server mode | Support free Splunk license
+  - 0.2.4 - SSL bug fix in SDK
+  - 0.2.3 - UTF-8 encode events in the insert action
+  - 0.2.2 - Fix bug when using multiple alert names
+  - 0.2.1 - Bugfix in connection attempts
+  - 0.2.0 - Add 8 saved search and related actions
+  - 0.1.2 - Remove logging of username and password
+  - 0.1.1 - Added poll interval input to Alert trigger
+  - 0.1.0 - Initial plugin
 connection:
   host:
     title: Host

plugins/splunk/setup.py

@@ -3,8 +3,8 @@
 
 
 setup(name="splunk-rapid7-plugin",
-      version="3.0.4",
-      description="The Splunk plugin allows you to search, monitor, and analyze machine data",
+      version="3.0.5",
+      description="[Splunk](https://www.splunk.com/) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. This plugin allows you to interact with Splunk by hooking alerts to trigger InsightConnect workflows, run (saved) searches, retrieve search results, and even insert data back into Splunk from a workflow",
       author="rapid7",
       author_email="",
       url="",