scalyr
diff --git a/‎.DS_Store‎
0 Bytes b/‎.DS_Store‎
0 Bytes
diff --git a/‎README.md‎
Lines changed: 15 additions & 4 deletions b/‎README.md‎
Lines changed: 15 additions & 4 deletions
diff --git a/‎globalConfig.json‎
Lines changed: 140 additions & 4 deletions b/‎globalConfig.json‎
Lines changed: 140 additions & 4 deletions
diff --git a/‎output/TA-dataset-1.0.0.tar.gz‎
-2.94 MB b/‎output/TA-dataset-1.0.0.tar.gz‎
-2.94 MB
diff --git a/‎output/TA-dataset-1.1.0.tar.gz‎
2.95 MB b/‎output/TA-dataset-1.1.0.tar.gz‎
2.95 MB
diff --git a/‎package/README/inputs.conf.spec‎
Lines changed: 8 additions & 0 deletions b/‎package/README/inputs.conf.spec‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎package/app.manifest‎
Lines changed: 1 addition & 1 deletion b/‎package/app.manifest‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎package/bin/dataset_alerts.py‎
Lines changed: 7 additions & 7 deletions b/‎package/bin/dataset_alerts.py‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎package/bin/dataset_common.py‎
Lines changed: 32 additions & 1 deletion b/‎package/bin/dataset_common.py‎
Lines changed: 32 additions & 1 deletion
@@ -81,14 +81,20 @@ The DataSet Add-on for Splunk collects the following inputs utilizing time-based
 | dataset:query | User-defined standard [query](https://app.scalyr.com/help/api#query) API call to index events | - |
 
 ## SPL Command
-The `| dataset` command allows queries against the DataSet API directly from Splunk's search bar. Five optional parameters are supported:
+The `| dataset` command allows queries against the DataSet API directly from Splunk's search bar. Optional parameters are supported:
 
-- **method** - Define `query` or `powerQuery` to call the appropriate REST endpoint. Default is query.
-- **query** - The DataSet [query](https://app.scalyr.com/help/query-language) or Power Query []()  used to filter events. Default is no filter (return all events limited by maxCount).
-- **maxcount** - Number of events to return from DataSet. Default is 100.
+- **method** - Define `query`, `powerquery` or `timeseries` to call the appropriate REST endpoint. Default is query.
+- **query** - The DataSet [query](https://app.scalyr.com/help/query-language) or filter used to select events. Default is no filter (return all events limited by maxCount).
+- **maxcount** - Number of events to return from DataSet query or powerquery. Default is 100. Not used for timeseries.
 - **starttime** - The Splunk time picker can be used (not "All Time"), but if starttime is defined it will take precedence to define the [start time](https://app.scalyr.com/help/time-reference) for DataSet events to return. Use epoch time or relative shorthand in the form of a number followed by d, h, m or s (for days, hours, minutes or seconds), e.g.: `24h`. Default is 24h.
 - **endtime** - The Splunk time picker can be used (not "All Time"), but if endtime is defined it will take precedence to define the [end time](https://app.scalyr.com/help/time-reference) for DataSet events to return. Use epoch time or relative shorthand in the form of a number followed by d, h, m or s (for days, hours, minutes or seconds), e.g.: `5m`. Default is current time at search.
 
+For timeseries queries, additional parameters include:
+- **function** - Define value to compute from matching events. Default is rate.
+- **buckets** - The number of numeric values to return by dividing time range into equal slices. Default is 1.
+- **createsummaries** - Specify whether to create summaries to automatically update on ingestion pipeline. Default is true, *be sure to set to false for one-off or while testing new queries*.
+- **useonlysummaries** - Specify whether to only use preexisting timeseries for fastest speed.
+
 For all queries, be sure to `"`wrap the entire query in double quotes`"`, and inside use `'`single quotes`'` or double quotes `\"`escaped with a backslash`\"`, as shown in the following examples.
 
 Query Example:
@@ -116,6 +122,11 @@ Since events are returned in JSON format, the Splunk [spath command](https://doc
 | collect index=dataset
 ```
 
+Timeseries Query Example:
+```
+| dataset method=timeseries search="serverHost='scalyr-metalog'" function="p90(delayMedian)" starttime="24h" buckets=24 createsummaries=false onlyusesummaries=false
+```
+
 ## Alert Action
 An alert action allows sending an event to the DataSet [addEvents API](https://app.scalyr.com/help/api#addEvents). 
 
 
@@ -2,7 +2,7 @@
     "meta": {
         "name": "TA-dataset",
         "displayName": "DataSet Add-on for Splunk",
-        "version": "1.0.0",
+        "version": "1.1.0",
         "restRoot": "TA_dataset",
         "schemaVersion": "0.0.3"
     },
@@ -356,20 +356,156 @@
                                 }
                             ]
                         },
+                        {
+                            "field": "dataset_query_columns",
+                            "label": "Columns",
+                            "help": "If left blank, all columns are returned.",
+                            "required": false,
+                            "type": "text",
+                            "validators": [
+                                {
+                                    "type": "string",
+                                    "minLength": 0,
+                                    "maxLength": 8192,
+                                    "errorMsg": "Max length of text input is 8192"
+                                },
+                                {
+                                    "type": "regex",
+                                    "pattern": "^(\\w+,\\s*)*\\w+$",
+                                    "errorMsg": "Column names must be comma separated."
+                                }
+                            ]
+                        },
                         {
                             "field": "max_count",
                             "label": "Max Count",
-                            "help": "Specifies the maximum number of records to return, from 1 to 5000. If left blank, the default is 100.",
+                            "help": "Specifies the maximum number of records to return. If left blank, the default is 100.",
                             "required": false,
                             "type": "text",
                             "validators": [
                                 {
                                     "type": "number",
                                     "range": [
                                         1,
-                                        5000
+                                        9999999
                                     ],
-                                    "errorMsg": "Max Count must be 1 - 5000"
+                                    "errorMsg": "Max Count must be a number"
+                                }
+                            ]
+                        }
+                    ]
+                },
+                {
+                    "name": "dataset_powerquery",
+                    "title": "DataSet PowerQuery",
+                    "entity": [
+                        {
+                            "field": "name",
+                            "label": "Name",
+                            "type": "text",
+                            "help": "Enter a unique name for the data input",
+                            "required": true,
+                            "validators": [
+                                {
+                                    "type": "regex",
+                                    "pattern": "^[a-zA-Z]\\w*$",
+                                    "errorMsg": "Input Name must start with a letter and followed by alphabetic letters, digits or underscores."
+                                },
+                                {
+                                    "type": "string",
+                                    "minLength": 1,
+                                    "maxLength": 100,
+                                    "errorMsg": "Length of input name should be between 1 and 100"
+                                }
+                            ]
+                        },
+                        {
+                            "field": "interval",
+                            "label": "Interval",
+                            "type": "text",
+                            "required": true,
+                            "help": "Time interval of input in seconds.",
+                            "validators": [
+                                {
+                                    "type": "regex",
+                                    "pattern": "^\\-[1-9]\\d*$|^\\d*$",
+                                    "errorMsg": "Interval must be an integer."
+                                }
+                            ]
+                        },
+                        {
+                            "field": "index",
+                            "label": "Index",
+                            "type": "singleSelect",
+                            "defaultValue": "default",
+                            "options": {
+                                "endpointUrl": "data/indexes",
+                                "createSearchChoice": true,
+                                "denyList": "^_.*$"
+                            },
+                            "required": true,
+                            "validators": [
+                                {
+                                    "type": "string",
+                                    "minLength": 1,
+                                    "maxLength": 80,
+                                    "errorMsg": "Length of index name should be between 1 and 80."
+                                }
+                            ]
+                        },
+                        {
+                            "field": "start_time",
+                            "label": "Start Time",
+                            "help": "Relative time to query back. Use short form relative time, e.g.: 24h or 30d. Reference https://app.scalyr.com/help/time-reference.",
+                            "required": true,
+                            "type": "text",
+                            "defaultValue": "5m",
+                            "validators": [
+                                {
+                                    "type": "string",
+                                    "minLength": 0,
+                                    "maxLength": 8192,
+                                    "errorMsg": "Max length of text input is 8192"
+                                },
+                                {
+                                    "type": "regex",
+                                    "pattern": "^\\d+(d|h|m|s)$",
+                                    "errorMsg": "Start time must be a digit follow by one of: d, h, m, s."
+                                }
+                            ]
+                        },
+                        {
+                            "field": "end_time",
+                            "label": "End Time",
+                            "help": "If left blank, present time at query execution is used. If defined, use short form relative time.",
+                            "required": false,
+                            "type": "text",
+                            "validators": [
+                                {
+                                    "type": "string",
+                                    "minLength": 0,
+                                    "maxLength": 8192,
+                                    "errorMsg": "Max length of text input is 8192"
+                                },
+                                {
+                                    "type": "regex",
+                                    "pattern": "^\\d+(d|h|m|s)$",
+                                    "errorMsg": "End time must be a digit follow by one of: d, h, m, s."
+                                }
+                            ]
+                        },
+                        {
+                            "field": "dataset_query_string",
+                            "label": "DataSet PowerQuery String",
+                            "help": "DataSet PowerQuery to return results.",
+                            "required": true,
+                            "type": "text",
+                            "validators": [
+                                {
+                                    "type": "string",
+                                    "minLength": 0,
+                                    "maxLength": 8192,
+                                    "errorMsg": "Max length of text input is 8192"
                                 }
                             ]
                         }
 
@@ -2,10 +2,18 @@
 start_time = Start time for the DataSet query to use. Use shortform (e.g.: 1m, 24h, 3d).
 end_time = If left blank, present time at query execution is used.
 dataset_query_string = If left blank, all records (limited by max count) are retrieved.
+dataset_query_columns = If left blank, all columns are retrieved.
 max_count = Specifies the maximum number of records to return, from 1 to 5000. If left blank, the default is 100.
 python.version = {default|python|python2|python3}
 start_by_shell = {true|false}
 
+[dataset_powerquery://<name>]
+start_time = Start time for the DataSet query to use. Use shortform (e.g.: 1m, 24h, 3d).
+end_time = If left blank, timestamp and message from all records (limited by max count) are retrieved.
+dataset_query_string = If left blank, all records (limited by max count) are retrieved.
+python.version = {default|python|python2|python3}
+start_by_shell = {true|false}
+
 [dataset_alerts://<name>]
 start_time = Relative time to query back. Use short form relative time, e.g.: 24h or 30d. Reference https://app.scalyr.com/help/time-reference
 python.version = {default|python|python2|python3}
 
@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "TA-dataset",
-      "version": "1.0.0"
+      "version": "1.1.0"
     },
     "author": [
       {
 
@@ -91,17 +91,17 @@ def stream_events(self, inputs, ew):
             r_json = r.json() #parse results json
 
             #log information from results
-            if r_json['status']:
+            if 'status' in r_json:
                 logger.info("response status=%s" % str(r_json['status']))
 
-            if r_json['warnings']:
+            if 'warnings' in r_json:
                 for warning in r_json['warnings']:
                     logger.warning("response warning=%s" % str(warning))
 
-            if r_json['matchingEvents']:
+            if 'matchingEvents' in r_json:
                 logger.info("response matches=%s" % str(r_json['matchingEvents']))
 
-            if r_json['omittedEvents']:
+            if 'omitedEvents' in r_json:
                 logger.warning("response omitted=%s" % str(r_json['omittedEvents']))
 
             #parse results, match returned columns with corresponding values
@@ -125,9 +125,6 @@ def stream_events(self, inputs, ew):
 
                     if event_time > checkpoint_time:
                         #if greater than current checkpoint, update checkpoint and write event
-                        logger.debug("saving checkpoint %s" % (str(event_time)))
-                        checkpoint.update(input_name, {"timestamp": event_time})
-
                         splunk_dt = normalize_time(int(event_time))
                         ds_event = json.dumps(ds_event_dict)
                         #create and write event
@@ -139,6 +136,9 @@ def stream_events(self, inputs, ew):
                         )
                         logger.debug("writing event with event_time=%s and checkpoint=%s" % (str(event_time), str(checkpoint_time)))
                         ew.write_event(event)
+
+                        logger.debug("saving checkpoint %s" % (str(event_time)))
+                        checkpoint.update(input_name, {"timestamp": event_time})
                     else:
                         logger.debug("skipping due to event_time=%s is less than checkpoint=%s" % (str(event_time), str(checkpoint_time)))
             else:
 
@@ -2,6 +2,7 @@
 import os.path as op
 import sys
 import json
+import time
 from collections import OrderedDict
 
 import import_declare_test
@@ -128,4 +129,34 @@ def get_proxy(session_key, logger):
 
 def normalize_time(ds_time):
     splunk_dt = ds_time / 1000000000
-    return splunk_dt
+    return splunk_dt
+
+
+def relative_to_epoch(relative):
+    """
+    This function uses return epoch time from a relative time
+    :param relative: shorthand relative time stamp (e.g. "24h" for 24 hours ago)
+    :return : time_relative in epoch as an integer
+    """
+    relative_num = int(relative[0:-1])
+    relative_unit = relative[-1:]
+    #get current epoch time in milliseconds
+    time_current = int(time.time())
+    num_seconds = 1
+    if relative_unit == 'm':
+        num_seconds = num_seconds * 60
+    elif relative_unit == 'h':
+        num_seconds = num_seconds * 60 * 60
+    elif relative_unit == 'd':
+        num_seconds = num_seconds * 60 * 60 * 24
+
+    time_relative = time_current - (relative_num * num_seconds)
+    return time_relative
+
+
+def get_maxcount(max):
+    #query API returns max 5,000 results per call
+    if max > 5000:
+        return 5000
+    else:
+        return max
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`"id": {`
`6`	`6`	`"group": null,`
`7`	`7`	`"name": "TA-dataset",`
`8`		`- "version": "1.0.0"`
	`8`	`+ "version": "1.1.0"`
`9`	`9`	`},`
`10`	`10`	`"author": [`
`11`	`11`	`{`