Merge pull request #1435 from demisto/extract-fields-splunk

Extract fields splunk
demisto · Apr 2, 2018 · aae24dd · aae24dd
2 parents c028b3a + cdfb8ef
commit aae24dd
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/Integrations/integration-SplunkPy.yml b/Integrations/integration-SplunkPy.yml
@@ -58,6 +58,12 @@ configuration:
   defaultvalue: "false"
   type: 8
   required: false
+- display: 'Extract Fields - comma separated fields that will be parsed out of _raw
+    notable events '
+  name: extractFields
+  defaultvalue: ""
+  type: 12
+  required: false
 script:
   script: |
     import splunklib.client as client
@@ -313,6 +319,13 @@ script:
                       "latest_time": now}
         searchquery_oneshot = demisto.params()['fetchQuery']
 
+        if demisto.get(demisto.params(), 'extractFields'):
+            extractFields = demisto.params()['extractFields']
+            extra_raw_arr = extractFields.split(',')
+            for field in extra_raw_arr:
+                field_trimmed = field.strip()
+                searchquery_oneshot = searchquery_oneshot + ' | eval '+field_trimmed+'='+field_trimmed
+
         oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)
         reader = results.ResultsReader(oneshotsearch_results)
         for item in reader:
@@ -469,3 +482,4 @@ script:
     description: Parse the Raw part of the event
   dockerimage: demisto/splunksdk:1.0
   isfetch: true
+releaseNotes: 'Support Splunk fetch incident to extract custom fields from _raw of notable events'