splunk/pytest-splunk-addon

Data Generator doesn't set host field via token

Opened this issue · 4 comments

The following configuration in pytest-splunk-addon-data.conf does replace the tokens as expected, but the ingested data shows a value of Barracuda.logfor field host. Therefore test Test_App.test_indextime_key_fields fails.

[Barracuda.log]
sourcetype = barracuda
#source =
#sourcetype_to_search = barracuda
host_type = plugin
input_type = file_monitor
index = main
sample_count = 20
#expected_event_count =
timestamp_type = event
#breaker =

token.1.token = ##time1##
token.1.replacementType = timestamp
token.1.replacement = %b %d %H:%M:%S
token.1.field = _time

token.2.token = ##host##
token.2.replacementType = random
token.2.replacement = host["ipv4"]
token.2.field = host

token.3.token = ##time2##
token.3.replacementType = timestamp
token.3.replacement = %Y-%m%d %H:%M:%S.%3Q +%z

The following config using host_type = plugin produces the exact same result.

[Barracuda.log]
sourcetype = barracuda
#source =
#sourcetype_to_search = barracuda
host_type = plugin
input_type = file_monitor
index = main
sample_count = 20
#expected_event_count =
timestamp_type = event
#breaker =

token.1.token = ##time1##
token.1.replacementType = timestamp
token.1.replacement = %b %d %H:%M:%S
token.1.field = _time

token.2.token = ##host##
token.2.replacementType = random
token.2.replacement = host["ipv4"]
#token.2.field = host

token.3.token = ##time2##
token.3.replacementType = timestamp
token.3.replacement = %Y-%m%d %H:%M:%S.%3Q +%z

Test output:

---------------------------------------------------------------------------------------------- Captured log call -----------------------------------------------------------------------------------------------
DEBUG    pytest-splunk-addon:test_templates.py:80 Base search for indextime key field test: search (index=*) sourcetype=barracuda host IN ("Barracuda.log") | table host
DEBUG    pytest-splunk-addon:test_templates.py:88 Results:[{'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}]
INFO     pytest-splunk-addon:test_templates.py:143 Some values for the following key fields are missing

Key_field | Expected_values                                                                                                                                                                                                                                                                                                        | Actual_values
--------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -----------------
host      | {'172.16.51.6', '172.16.51.7', '172.16.51.3', '172.16.51.18', '172.16.51.12', '172.16.51.8', '172.16.51.17', '172.16.51.19', '172.16.51.10', '172.16.51.11', '172.16.51.1', '172.16.51.15', '172.16.51.4', '172.16.51.16', '172.16.51.0', '172.16.51.9', '172.16.51.5', '172.16.51.13', '172.16.51.2', '172.16.51.14'} | {'Barracuda.log'}

System information:

platform darwin -- Python 3.8.6, pytest-6.1.1, py-1.9.0, pluggy-0.13.1 -- /usr/local/opt/python@3.8/bin/python3.8
using: pytest-6.1.1 pylib-1.9.0
setuptools registered plugins:
  lovely-pytest-docker-0.2.0 at /usr/local/lib/python3.8/site-packages/lovely/pytest/docker/compose.py
  pytest-splunk-addon-1.3.9 at /usr/local/lib/python3.8/site-packages/pytest_splunk_addon/plugin.py
  pytest-splunk-addon-1.3.9 at /usr/local/lib/python3.8/site-packages/pytest_splunk_addon/splunk.py
  pytest-xdist-2.1.0 at /usr/local/lib/python3.8/site-packages/xdist/plugin.py
  pytest-xdist-2.1.0 at /usr/local/lib/python3.8/site-packages/xdist/looponfail.py
  pytest-forked-1.3.0 at /usr/local/lib/python3.8/site-packages/pytest_forked/__init__.py
  Faker-4.14.0 at /usr/local/lib/python3.8/site-packages/faker/contrib/pytest/plugin.py

@emk3y
Here there are two issues:

  • In the first stanza log, where token.2.field=host is provided, there should be host_type = event as host assignment is being done via token. Hence, test would fail as it is ingesting different host and tests are asserting different hosts.

  • For the second stanza log, host_type=plugin works as there is token.2.field = host and tests fail. But in the Splunk, Events wouldn't have host as Ip's(Ex: 172.15.1.1) something like that.

Thanks for the fast reply! You're correct, the combination in the first example is wrong. It was one of many tests, so I made an copy+paste error.

So i retried the following configuration:

[Barracuda.log]
sourcetype = barracuda
#source =
#sourcetype_to_search = barracuda
host_type = event
input_type = file_monitor
index = main
sample_count = 20
#expected_event_count =
timestamp_type = event
#breaker =

token.1.token = ##time1##
token.1.replacementType = timestamp
token.1.replacement = %b %d %H:%M:%S
token.1.field = _time

token.2.token = ##host##
token.2.replacementType = random
token.2.replacement = host["ipv4"]
token.2.field = host

token.3.token = ##time2##
token.3.replacementType = timestamp
token.3.replacement = %Y-%m%d %H:%M:%S.%3Q +%z

This leads to the following errors:

=========================================================================================== short test summary info ============================================================================================
FAILED test_addon.py::Test_App::test_indextime_key_fields[barracuda::172.16.51.0_to_172.16.51.19] - AssertionError: No Events found for query search (index=*) sourcetype=barracuda host IN ("172.16.51.9","1...
FAILED test_addon.py::Test_App::test_indextime_time[barracuda::172.16.51.0_to_172.16.51.19] - AssertionError: No Events found for query: search (index=*) sourcetype=barracuda host IN ("172.16.51.9","172.16...
FAILED test_addon.py::Test_App::test_indextime_line_breaker[barracuda::Barracuda.log] - AssertionError: Query: search (index=*) sourcetype=barracuda host IN ("172.16.51.9","172.16.51.13","172.16.51.3","172...

This is due to the value of the hostfield, as the following Search shows:

index=* sourcetype="barracuda" | stats count by index source sourcetype host
---
index,source,sourcetype,host,count
main,"pytest_splunk_addon:hec:raw",barracuda,"Barracuda.log",20

Just to make sure I understand the expected behavior correctly - with host_type = event and token.2.field = host set the host field should be populated by the Data Generator and does not expect the packaged app to extract the host value at this point. Right?

From the above query's result index=* sourcetype="barracuda" | stats count by index source sourcetype host it is observed that host is somewhat changes maybe (FIELDALIAS/EVAL etc) operations are being performed by the ADDON which might be leading to such failures.

Regarding second query, yes host_type = event and token.2.field = host sets the host field via Data generator but once Ingested in Splunk, it's value may change depending on ADDON's props/transforms as mentioned above.

Until now the package doesn't actually contain any real content as I was trying to get the test environment up and running as a test. So there is nothing in there that could've rewritten the host field.

Additionally, looking at .tokenized_values/Barracuda.log.json it shows the same value for host as well.

{
	"Barracuda.log": {
		"metadata": {
			"host": "Barracuda.log",
			"source": null,
			"sourcetype": "barracuda",
			"timestamp_type": "event",
			"input_type": "file_monitor",
			"expected_event_count": 20,
			"index": "main"
		},
...