Shorten app URL and fix schedule_priority

devinslick · devinslick · commit fffd42910a02 · 2025-11-16T16:15:16.000-06:00
- Changed app ID from caca-content-activity-checking-application to caca

- Updated app.conf, app.manifest, GitHub Actions, PowerShell script

- Fixed schedule_priority from invalid 'low' to 'default' in all scheduled searches

- Updated README with corrected app context syntax (caca: instead of long form)

- Added test-environment.yaml with auto-generated random passwords

- New app URL will be /app/caca/ instead of long form
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -213,7 +213,7 @@ jobs:
       run: |
         echo "Running Splunk AppInspect..."
         # Create a temporary package directory
-        PACKAGE_DIR="caca-content-activity-checking-application"
+        PACKAGE_DIR="caca"
         mkdir -p "$PACKAGE_DIR"
 
         # Copy app files excluding development files
diff --git a/README.md b/README.md
@@ -119,7 +119,10 @@ The `caca_metrics` index should be created automatically. Verify by running:
 
 ### 2. Populate Dashboard Registry
 
-Run the registry update search to populate the dashboard registry:
+Run the registry update search to populate the dashboard registry. **Important:** Make sure to run this search from within the CACA app context, or use the full app path in the outputlookup command:
+
+**Option A - Run from CACA app context:**
+Navigate to **CACA app** in Splunk Web, then run:
 
 ```spl
 | rest /services/data/ui/views splunk_server=local count=0 search="sharing=*"
@@ -135,16 +138,43 @@ Run the registry update search to populate the dashboard registry:
 | outputlookup dashboard_registry.csv
 ```
 
+**Option B - Run from any app:**
+
+If you prefer to run the search from a different app (like Search & Reporting), you can do so, but you **must** include the full app path in the outputlookup command:
+
+```spl
+| rest /services/data/ui/views splunk_server=local count=0 search="sharing=*"
+| search isDashboard=1 OR isVisible=1
+| eval dashboard_uri="/app/".eai:acl.app."/".title
+| eval pretty_name=coalesce(label, title)
+| eval app=eai:acl.app
+| eval owner=eai:acl.owner
+| eval sharing=eai:acl.sharing
+| eval description=coalesce(eai:data, "")
+| eval status="active"
+| table dashboard_uri pretty_name app owner sharing description status
+| outputlookup caca:dashboard_registry.csv
+```
+
+**Note:** The `caca:` prefix ensures the lookup is saved to the correct app even when running from elsewhere.
+
+**Recommended:** Just use Option A - it's simpler and less error-prone.
+
 This will scan your Splunk environment and populate the `dashboard_registry.csv` lookup with all discovered dashboards, including private dashboards.
 
 **Note on Private Dashboards:** The `search="sharing=*"` parameter ensures that dashboards with all sharing levels (global, app, and user/private) are included in the registry. To see private dashboards owned by other users, the scheduled search must run with appropriate permissions (typically as admin or with the `list_storage_passwords` capability).
 
-**Verify the registry:**
+**Verify the registry (run from CACA app):**
 
 ```spl
 | inputlookup dashboard_registry | stats count
 ```
 
+Or from any app, navigate to the lookup location:
+```spl
+Settings → Lookups → Lookup table files → Find "dashboard_registry.csv" in caca
+```
+
 ### 3. Enable Scheduled Searches
 
 Navigate to **Settings → Searches, reports, and alerts** and enable these searches:
@@ -462,7 +492,11 @@ Edit `lookups/dashboard_registry.csv` and set `status=inactive` for specific das
 
 ### Dashboard Not Appearing in Registry
 
-Run the registry update search manually:
+Run the registry update search manually from the CACA app context:
+
+**Step 1:** Navigate to the CACA app in Splunk Web
+
+**Step 2:** Run this search:
 ```spl
 | rest /services/data/ui/views splunk_server=local count=0 search="sharing=*"
 | search isDashboard=1 OR isVisible=1
@@ -473,12 +507,12 @@ Run the registry update search manually:
 | eval sharing=eai:acl.sharing
 | eval status="active"
 | table dashboard_uri pretty_name app owner sharing status
-| outputlookup dashboard_registry.csv
+| outputlookup caca:dashboard_registry.csv
 ```
 
 **For Private Dashboards:** If private dashboards still don't appear, ensure the search is running with appropriate permissions. Private dashboards owned by other users require admin privileges or specific capabilities to be discovered via REST API.
 
-Or add it manually to `lookups/dashboard_registry.csv`.
+Or add it manually to `lookups/dashboard_registry.csv` in the CACA app directory.
 
 ### Metrics Showing Zero
 
diff --git a/app.manifest b/app.manifest
@@ -4,7 +4,7 @@
     "title": "CACA - Content Activity Checking Application",
     "id": {
       "group": null,
-      "name": "caca-content-activity-checking-application",
+      "name": "caca",
       "version": "0.0.1"
     },
     "author": [
diff --git a/default/app.conf b/default/app.conf
@@ -11,5 +11,5 @@ description = CACA (Content Activity Checking Application) - Track usage, health
 version = 0.0.1
 
 [package]
-id = caca-content-activity-checking-application
+id = caca
 check_for_updates = 1
diff --git a/default/savedsearches.conf b/default/savedsearches.conf
@@ -22,7 +22,7 @@ search = index=_internal sourcetype=splunkd_access method=GET uri_path="/*/app/*
 | eval metric_name="dashboard.views" \
 | eval activity_type="view" \
 | mcollect index=caca_metrics metric_name=metric_name pretty_name app user activity_type split=t
-schedule_priority = low
+schedule_priority = default
 schedule_window = 5
 
 [Dashboard Edits - Metrics Collector]
@@ -42,7 +42,7 @@ search = index=_audit action=edit_view OR action=create_view object_type=view \
 | eval metric_name="dashboard.edits" \
 | eval activity_type=if(action="create_view", "create", "edit") \
 | mcollect index=caca_metrics metric_name=metric_name pretty_name app user activity_type split=t
-schedule_priority = low
+schedule_priority = default
 schedule_window = 5
 
 [Dashboard Health - Metrics Collector]
@@ -66,7 +66,7 @@ search = index=_internal (sourcetype=splunkd log_level=ERROR OR log_level=WARN)
 | eval severity=lower(log_level) \
 | eval activity_type="health" \
 | mcollect index=caca_metrics metric_name=metric_name pretty_name app severity activity_type split=t
-schedule_priority = low
+schedule_priority = default
 schedule_window = 5
 
 [Dashboard Performance - Metrics Collector]
@@ -90,7 +90,7 @@ search = index=_internal sourcetype=splunkd_ui_access uri_path="/*/app/*" \
 | eval metric_name="dashboard.load_time" \
 | eval activity_type="performance" \
 | mcollect index=caca_metrics metric_name=metric_name _value=avg_load_time pretty_name app user activity_type split=t
-schedule_priority = low
+schedule_priority = default
 schedule_window = 5
 
 #####################
@@ -119,4 +119,4 @@ search = | rest /services/data/ui/views splunk_server=local count=0 search="shar
 | fields - include \
 | table dashboard_uri pretty_name app owner sharing description status \
 | outputlookup dashboard_registry.csv
-schedule_priority = low
+schedule_priority = default
diff --git a/local/test-environment.yaml b/local/test-environment.yaml
@@ -0,0 +1,227 @@
+# Test Environment for CACA Splunk App
+# This is a generic Kubernetes deployment for testing the CACA app
+# Customize the namespace, ingress, and other settings for your environment
+#
+# To retrieve the generated Splunk password after deployment:
+#   kubectl get secret splunk-secret -n <your-namespace> -o jsonpath='{.data.password}' | base64 -d
+
+---
+# Job to generate a random password for Splunk
+# This runs before the deployment and creates/updates the secret with a random password
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: splunk-password-generator
+  namespace: default  # Change to your namespace
+spec:
+  ttlSecondsAfterFinished: 100  # Auto-cleanup after 100 seconds
+  template:
+    spec:
+      serviceAccountName: default  # Ensure the service account has permission to create secrets
+      restartPolicy: Never
+      containers:
+      - name: generate-password
+        image: bitnami/kubectl:latest
+        command:
+        - /bin/bash
+        - -c
+        - |
+          # Generate a random 16-character password
+          PASSWORD=$(cat /dev/urandom | tr -dc 'A-Za-z0-9!@#$%^&*' | head -c 16)
+
+          # Create or update the secret
+          kubectl create secret generic splunk-secret \
+            --from-literal=password="$PASSWORD" \
+            --dry-run=client -o yaml | kubectl apply -f -
+
+          echo "Password secret created/updated successfully"
+          echo "Retrieve with: kubectl get secret splunk-secret -o jsonpath='{.data.password}' | base64 -d"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: splunk
+  labels:
+    app: splunk
+  namespace: default  # Change to your namespace
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+  selector:
+    matchLabels:
+      app: splunk
+  template:
+    metadata:
+      labels:
+        app: splunk
+    spec:
+      hostname: splunk
+      initContainers:
+        - name: download-caca-app
+          image: alpine/git:latest
+          securityContext:
+            runAsUser: 0  # Run as root to ensure write permissions
+          env:
+            # Change this to use a different branch (e.g., dev, feature/my-feature)
+            - name: CACA_BRANCH
+              value: "main"
+            # Optionally override the GitHub repo URL
+            # - name: CACA_REPO_URL
+            #   value: "https://github.com/yourusername/your-fork.git"
+          command:
+            - sh
+            - -c
+            - |
+              set -e  # Exit on any error
+
+              REPO_URL="${CACA_REPO_URL:-https://github.com/devinslick/splunk-content-monitoring-console.git}"
+
+              echo "=== CACA App Installation Starting ==="
+              echo "Repository: ${REPO_URL}"
+              echo "Branch: ${CACA_BRANCH}"
+              echo "Target: /opt/splunk/etc/apps/caca"
+
+              echo "Checking volume mount..."
+              ls -la /opt/splunk/etc/ || echo "WARNING: /opt/splunk/etc/ not accessible"
+
+              echo "Creating apps directory if needed..."
+              mkdir -p /opt/splunk/etc/apps
+
+              echo "Removing old CACA app installation (if exists)..."
+              rm -rf /opt/splunk/etc/apps/caca-content-activity-checking-application
+              rm -rf /opt/splunk/etc/apps/caca
+
+              echo "Downloading CACA app from GitHub (branch: ${CACA_BRANCH})..."
+              cd /tmp
+              git clone --depth 1 --branch ${CACA_BRANCH} ${REPO_URL}
+
+              echo "Creating app directory..."
+              mkdir -p /opt/splunk/etc/apps/caca
+
+              echo "Copying app files (excluding dev files)..."
+              cd splunk-content-monitoring-console
+
+              # Copy all files except dev-specific ones
+              find . -maxdepth 1 -mindepth 1 \
+                ! -name '.git*' \
+                ! -name 'local' \
+                ! -name 'devnotes' \
+                ! -name '.venv' \
+                ! -name '.pytest_cache' \
+                ! -name '.pre-commit-config.yaml' \
+                ! -name '.bandit.yml' \
+                ! -name 'CI-CD-SETUP.md' \
+                ! -name 'scripts' \
+                ! -name 'appinspect_report.json' \
+                ! -name '*.pyc' \
+                ! -name '__pycache__' \
+                -exec cp -r {} /opt/splunk/etc/apps/caca/ \;
+
+              echo "Setting permissions for Splunk user (41812)..."
+              chown -R 41812:41812 /opt/splunk/etc/apps/caca
+
+              echo "=== CACA App Installation Complete ==="
+              echo "Installed files:"
+              ls -la /opt/splunk/etc/apps/caca/
+
+              echo "SUCCESS: CACA app installed from ${REPO_URL} (branch: ${CACA_BRANCH})"
+          volumeMounts:
+            - mountPath: /opt/splunk/etc/apps
+              name: splunk
+              subPath: var/splunk-apps  # Use a dedicated path in the PVC
+      containers:
+        - name: splunk
+          image: splunk/splunk:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+              name: http
+              protocol: TCP
+            - containerPort: 8088
+              name: hec
+              protocol: TCP
+            - containerPort: 9997
+              name: indexer
+              protocol: TCP
+          volumeMounts:
+          - mountPath: /opt/splunk/var
+            name: splunk
+            subPath: var
+          - mountPath: /opt/splunk/etc/apps
+            name: splunk
+            subPath: var/splunk-apps  # Share same PVC, different subPath
+          env:
+            - name: TZ
+              value: 'America/Chicago'  # Change to your timezone
+            - name: SPLUNK_GENERAL_TERMS
+              value: '--accept-sgt-current-at-splunk-com'
+            - name: SPLUNK_START_ARGS
+              value: '--accept-license --no-prompt --answer-yes'
+            - name: SPLUNK_HTTP_PORT
+              value: "8000"
+            - name: SPLUNK_HEC_PORT
+              value: "8088"
+            - name: SPLUNK_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: splunk-secret
+                  key: password
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8000
+            initialDelaySeconds: 60
+            periodSeconds: 30
+      volumes:
+      - name: splunk
+        persistentVolumeClaim:
+          claimName: splunk  # Change to your PVC name
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: splunk-http
+  namespace: default  # Change to your namespace
+  labels:
+    app: splunk
+spec:
+  ports:
+  - name: http
+    port: 8000
+  type: ClusterIP
+  selector:
+    app: splunk
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: splunk-hec
+  namespace: default  # Change to your namespace
+  labels:
+    app: splunk
+spec:
+  ports:
+  - name: hec
+    port: 8088
+  type: ClusterIP
+  selector:
+    app: splunk
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: splunk-indexer
+  namespace: default  # Change to your namespace
+  labels:
+    app: splunk
+spec:
+  ports:
+  - name: indexer
+    port: 9997
+  type: ClusterIP
+  selector:
+    app: splunk
diff --git a/scripts/validate.ps1 b/scripts/validate.ps1
@@ -349,7 +349,7 @@ if (-not $Quick) {
 
         try {
             # Create temporary package directory
-            $packageDir = Join-Path $env:TEMP "caca-content-activity-checking-application-$(Get-Date -Format 'yyyyMMddHHmmss')"
+            $packageDir = Join-Path $env:TEMP "caca-$(Get-Date -Format 'yyyyMMddHHmmss')"
             New-Item -ItemType Directory -Path $packageDir -Force | Out-Null
 
             # Copy files (exclude dev files)
