updates

Author: michelle0927

components/splunk/actions/run-search/run-search.mjs

@@ -8,35 +8,19 @@ export default {
   type: "action",
   props: {
     splunk,
-    query: {
+    name: {
       propDefinition: [
         splunk,
-        "query",
+        "savedSearchName",
       ],
     },
-    earliestTime: {
-      type: "string",
-      label: "Earliest Time",
-      description: "Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to [Time modifiers](https://docs.splunk.com/Documentation/Splunk/9.4.1/SearchReference/SearchTimeModifiers) for search for information and examples of specifying a time string.",
-      optional: true,
-    },
-    latestTime: {
-      type: "string",
-      label: "Latest Time",
-      description: "  Specify a time string. Sets the latest (exclusive), respectively, time bounds for the search. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to [Time modifiers](https://docs.splunk.com/Documentation/Splunk/9.4.1/SearchReference/SearchTimeModifiers) for search for information and examples of specifying a time string.",
-      optional: true,
-    },
   },
   async run({ $ }) {
     const response = await this.splunk.executeSearchQuery({
       $,
-      data: {
-        search: this.query,
-        earliest_time: this.earliestTime,
-        latest_time: this.latestTime,
-      },
+      name: this.name,
     });
-    $.export("$summary", `Executed Splunk search query: ${this.query}`);
+    $.export("$summary", `Executed Splunk search: ${this.name}`);
     return response;
   },
 };

components/splunk/sources/new-alert-fired/new-alert-fired.mjs

@@ -1,36 +1,35 @@
-import common from "../common/base.mjs";
+import splunk from "../../splunk.app.mjs";
+import sampleEmit from "./test-event.mjs";
 
 export default {
-  ...common,
   key: "splunk-new-alert-fired",
-  name: "New Alert Fired",
+  name: "New Alert Fired (Instant)",
   description: "Emit new event when a new alert is triggered in Splunk. [See the documentation](https://docs.splunk.com/Documentation/Splunk/9.4.1/RESTREF/RESTsearch#alerts.2Ffired_alerts)",
   version: "0.0.1",
   type: "source",
   dedupe: "unique",
+  props: {
+    splunk,
+    http: "$.interface.http",
+  },
   methods: {
-    ...common.methods,
     generateMeta(alert) {
+      const ts = +alert.result._time;
       return {
-        id: alert.id,
-        summary: `New Alert Fired: ${alert.name}`,
-        ts: Date.now(),
+        id: ts,
+        summary: `New Alert Fired for Source: ${alert.result.source}`,
+        ts,
       };
     },
   },
-  async run() {
-    const results = this.splunk.paginate({
-      resourceFn: this.splunk.listFiredAlerts,
-    });
-
-    const alerts = [];
-    for await (const item of results) {
-      alerts.push(item);
+  async run(event) {
+    const { body } = event;
+    if (!body) {
+      return;
     }
 
-    alerts.forEach((alert) => {
-      const meta = this.generateMeta(alert);
-      this.$emit(alert, meta);
-    });
+    const meta = this.generateMeta(body);
+    this.$emit(body, meta);
   },
+  sampleEmit,
 };

components/splunk/sources/new-alert-fired/test-event.mjs

@@ -0,0 +1,30 @@
+export default {
+  "sid": "",
+  "search_name": "",
+  "app": "search",
+  "owner": "",
+  "results_link": "https://splunk:8000/app/search/search?q=",
+  "result": {
+    "_confstr": "source::Source|host::44.210.81.125|webhook",
+    "_eventtype_color": "",
+    "_indextime": "1742843623",
+    "_raw": "{ \"name\": \"test\", \"value\": \"test\" }",
+    "_serial": "3",
+    "_si": [
+      "main"
+    ],
+    "_sourcetype": "webhook",
+    "_time": "1742843623",
+    "eventtype": "",
+    "host": "44.210.81.125",
+    "index": "main",
+    "linecount": "",
+    "name": "test",
+    "punct": "{_\"\":_\"_\",_\"\":_\"\"_}",
+    "source": "Source",
+    "sourcetype": "webhook",
+    "splunk_server": "",
+    "timestamp": "none",
+    "value": "test"
+  }
+}

components/splunk/sources/new-search-result/new-search-result.mjs

@@ -10,30 +10,37 @@ export default {
   dedupe: "unique",
   methods: {
     ...common.methods,
+    async getRecentJobs() {
+      const jobs = [];
+      const results = this.splunk.paginate({
+        resourceFn: this.splunk.listJobs,
+      });
+      for await (const job of results) {
+        jobs.push(job);
+      }
+      return jobs;
+    },
     generateMeta(result) {
       return {
-        id: result.sid,
-        summary: `New Search Results with SID: ${result.sid}`,
+        id: result.id,
+        summary: `New Search with ID: ${result.id}`,
         ts: Date.now(),
       };
     },
   },
   async run() {
-    const jobIds = await this.getRecentJobIds();
-    const searchResults = [];
-    for (const jobId of jobIds) {
-      try {
-        const response = await this.splunk.getSearchResults({
-          jobId,
+    const jobs = await this.getRecentJobs();
+    for (const job of jobs) {
+      if (job.content?.resultCount > 0) {
+        const { results } = await this.splunk.getSearchResults({
+          jobId: job.content.sid,
         });
-        if (response?.results?.length) {
-          searchResults.push(...response.results);
+        if (results) {
+          job.results = results;
         }
-      } catch {
-        console.log(`No results found for sid: ${jobId}`);
       }
     }
-    searchResults.forEach((result) => {
+    jobs.forEach((result) => {
       const meta = this.generateMeta(result);
       this.$emit(result, meta);
     });

components/splunk/splunk.app.mjs

@@ -111,10 +111,12 @@ export default {
         ...opts,
       });
     },
-    executeSearchQuery(opts = {}) {
+    executeSearchQuery({
+      name, ...opts
+    }) {
       return this._makeRequest({
         method: "POST",
-        path: "/search/jobs",
+        path: `/saved/searches/${name}/dispatch`,
         ...opts,
       });
     },