Last active
October 7, 2021 16:56
-
-
Save firebus/bd840b0bf5b0f25491e7d9a5ca11f62d to your computer and use it in GitHub Desktop.
Export private KOs and output a table of cURL URLs and parameters for recreating the KOs. Derived from https://github.com/paychex/Splunk.Conf19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| | union maxtime=300 timeout=300 | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" search="eai:acl.sharing=user" | eval Type="view" | fields - type description label] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/props/calcfields" search="eai:acl.sharing=user" | eval Type="calculated fields" | fields - type field.* | rex field=title " : [^\-]+-(?<title>[^\e]+)"] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/props/fieldaliases" search="eai:acl.sharing=user" | eval Type="field aliases" | fields - type value | rex field=title " : [^\-]+-(?<title>[^\e]+)"] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/transforms/extractions" search="eai:acl.sharing=user" | eval Type="field transformations" | fields - type] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/props/extractions" search="eai:acl.sharing=user" | eval Type="extractions" | rex field=title " : (?<type>(EXTRACT|REPORT))-(?<title>[^\e]+)"] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/props/sourcetype-rename" search="eai:acl.sharing=user" | eval Type="sourcetype renaming" | fields - type stanza] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/ui/workflow-actions" search="eai:acl.sharing=user" | eval Type="Workflow actions"] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/ui/times" search="eai:acl.sharing=user" | eval Type="Time Ranges" | fields - type] | |
| [| rest splunk_server="local" "/servicesNS/-/-/saved/searches" search="eai:acl.sharing=user" | search NOT search="| noop" | eval Type="Saved Searches/Alerts/Reports" | fields - type] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/models" search="eai:acl.sharing=user" | eval Type="Data Models" | fields - type] | |
| [| rest splunk_server="local" "/servicesNS/-/-/saved/eventtypes" search="eai:acl.sharing=user" | eval Type="Event Types" | fields - type | eval tags=mvjoin(tags, ",")] | |
| [| rest splunk_server="local" "/servicesNS/-/-/saved/fvtags" search="eai:acl.sharing=user" | eval Type="List by Field value pair" | fields - type] | |
| [| rest splunk_server="local" "/servicesNS/-/-/saved/ntags" search="eai:acl.sharing=user" | eval Type="List by tag name" | fields - type] | |
| [| rest splunk_server="local" "/servicesNS/-/-/admin/tags" search="eai:acl.sharing=user" | eval Type="Tags" | rex field=field_name_value "^(?<field_name>[^\=]+)=(?<field_value>[^\e]+)" | fields - tag_name type field_name_value | rex field=title " : (?<title>[^\e]+)"] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/lookup-table-files" search="eai:acl.sharing=user" | eval Type="lookup table files" | fields - type] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/transforms/lookups" search="eai:acl.sharing=user" | eval Type="Lookup Definitions" | fields - type fields_array] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/props/lookups" search="eai:acl.sharing=user" | eval Type="Automatic lookups" | fields - type value | rex field=title " : [^\-]+-(?<title>[^\e]+)"] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/ui/nav" search="eai:acl.sharing=user" | eval Type="App UI" | fields - type] | |
| [| rest splunk_server="local" "/servicesNS/-/-/data/ui/panels" search="eai:acl.sharing=user" | eval Type="Pre-built panels" | fields - type] | |
| [| rest splunk_server="local" "/servicesNS/-/-/messages" search="eai:acl.sharing=user" | eval Type="Bulletin Messages" | fields - type] | |
| [| rest splunk_server="local" "/servicesNS/-/-/admin/macros" search="eai:acl.sharing=user" | eval Type="Search Macros" | fields - type] | |
| | eval updated=round(strptime(updated, "%Y-%m-%dT%H:%M:%S"),0) | |
| | fieldformat updated= strftime(updated, "%x %X") | |
| | eval _time=now() | |
| | foreach title "eai:data" "eai:acl.sharing" "eai:acl.perms.read" "eai:acl.perms.write" search definition stanza value transform tag* filename fields_list collection external_type description *cron* is_scheduled schedule_window action* alert* args errormsg validation earliest_time latest_time header_label order display_location fields eventtypes REGEX link.* search.* display.* | |
| [ eval "<<FIELD>>"=if(mvcount('<<FIELD>>')>1, mvjoin('<<FIELD>>', ","), '<<FIELD>>')] | |
| | table _time Type title eai:acl.appauthor eai:acl.perms.read eai:acl.perms.write eai:* * | |
| | table id Type title "eai:data" "eai:acl.sharing" "eai:acl.perms.read" "eai:acl.perms.write" "eai:acl.owner" search definition stanza value transform tag* filename fields_list collection external_type disabled description *cron* is_scheduled schedule_window action* alert* args errormsg validation earliest_time latest_time header_label label order display_location fields eventtypes REGEX FORMAT link.* search.* display.* type alias.* field* overwrite lookup.* dispatch.* | |
| | foreach "eai:data" "eai:acl.sharing" "eai:acl.perms.read" "eai:acl.perms.write" search definition stanza value transform tag* filename fields_list collection external_type description *cron* is_scheduled schedule_window action* alert* args errormsg validation earliest_time latest_time header_label order display_location fields eventtypes REGEX FORMAT link.* search.* display.* type alias.* label field* overwrite lookup.* | |
| [ rex field="<<FIELD>>" mode=sed "s:%:%25:g s:\t:%09:g s:\n:%0A:g s: :%20:g s:\ :%C2%A0:g s:\!:%21:g s:\":%22:g s:\#:%23:g s:\$:%24:g s:\&:%26:g s:\':%27:g s:\(:%28:g s:\):%29:g s:\*:%2A:g s:\+:%2B:g s:\,:%2C:g s:\-:%2D:g s:\.:%2E:g s:\/:%2F:g s:\::%3A:g s:\;:%3B:g s:\<:%3C:g s:\=:%3D:g s:\>:%3E:g s:\?:%3F:g s:\@:%40:g s:\[:%5B:g s:\\\:%5C:g s:\]:%5D:g s:\^:%5E:g s:\_:%5F:g s:\`:%60:g s:\`:%E2%82%AC:g s:\{:%7B:g s:\|:%7C:g s:\}:%7D:g s:\~:%7E:g s:\:%9D:g s:\¡:%C2%A1:g s:\¢:%C2%A2:g s:\£:%C2%A3:g s:\¤:%C2%A4:g s:\¥:%C2%A5:g s:\¦:%C2%A6:g s:\§:%C2%A7:g s:\¨:%C2%A8:g s:\©:%C2%A9:g s:\ª:%C2%AA:g s:\«:%C2%AB:g s:\¬:%C2%AC:g s:\®:%C2%AE:g s:\¯:%C2%AF:g s:\°:%C2%B0:g s:\±:%C2%B1:g s:\²:%C2%B2:g s:\³:%C2%B3:g s:\´:%C2%B4:g s:\µ:%C2%B5:g s:\¶:%C2%B6:g s:\·:%C2%B7:g s:\¸:%C2%B8:g s:\¹:%C2%B9:g s:\º:%C2%BA:g s:\»:%C2%BB:g s:\¼:%C2%BC:g s:\½:%C2%BD:g s:\¾:%C2%BE:g s:\¿:%C2%BF:g s:\À:%C3%80:g s:\Á:%C3%81:g s:\Â:%C3%82:g s:\Ã:%C3%83:g s:\Ä:%C3%84:g s:\Å:%C3%85:g s:\Æ:%C3%86:g s:\Ç:%C3%87:g s:\È:%C3%88:g s:\É:%C3%89:g s:\Ê:%C3%8A:g s:\Ë:%C3%8B:g s:\Ì:%C3%8C:g s:\Í:%C3%8D:g s:\Î:%C3%8E:g s:\Ï:%C3%8F:g s:\Ð:%C3%90:g s:\Ñ:%C3%91:g s:\Ò:%C3%92:g s:\Ó:%C3%93:g s:\Ô:%C3%94:g s:\Õ:%C3%95:g s:\Ö:%C3%96:g s:\×:%C3%97:g s:\Ø:%C3%98:g s:\Ù:%C3%99:g s:\Ú:%C3%9A:g s:\Û:%C3%9B:g s:\Ü:%C3%9C:g s:\Ý:%C3%9D:g s:\Þ:%C3%9E:g s:\ß:%C3%9F:g s:\à:%C3%A0:g s:\á:%C3%A1:g s:\â:%C3%A2:g s:\ã:%C3%A3:g s:\ä:%C3%A4:g s:\å:%C3%A5:g s:\æ:%C3%A6:g s:\ç:%C3%A7:g s:\è:%C3%A8:g s:\é:%C3%A9:g s:\ê:%C3%AA:g s:\ë:%C3%AB:g s:\ì:%C3%AC:g s:\í:%C3%AD:g s:\î:%C3%AE:g s:\ï:%C3%AF:g s:\ð:%C3%B0:g s:\ñ:%C3%B1:g s:\ò:%C3%B2:g s:\ó:%C3%B3:g s:\ô:%C3%B4:g s:\õ:%C3%B5:g s:\ö:%C3%B6:g s:\÷:%C3%B7:g s:\ø:%C3%B8:g s:\ù:%C3%B9:g s:\ú:%C3%BA:g s:\û:%C3%BB:g s:\ü:%C3%BC:g s:\ý:%C3%BD:g s:\þ:%C3%BE:g s:\ÿ:%C3%BF:g s:\Œ:%C5%92:g s:\œ:%C5%93:g s:\Š:%C5%A0:g s:\š:%C5%A1:g s:\Ÿ:%C5%B8:g s:\Ž:%C5%BD:g s:\ž:%C5%BE:g s:\ƒ:%C6%92:g s:\ˆ:%CB%86:g s:\˜:%CB%9C:g s:\–:%E2%80%93:g s:\—:%E2%80%94:g s:\‘:%E2%80%98:g s:\’:%E2%80%99:g s:\‚:%E2%80%9A:g s:\“:%E2%80%9C:g s:\”:%E2%80%9D:g s:\„:%E2%80%9E:g s:\†:%E2%80%A0:g s:\‡:%E2%80%A1:g s:\•:%E2%80%A2:g s:\…:%E2%80%A6:g s:\‰:%E2%80%B0:g s:\‹:%E2%80%B9:g s:\›:%E2%80:g s:\™:%E2%84:g"] | |
| | rex field=id mode=sed "s/(https?:\/\/)[^\/]+/\1localhost:8089/g" | |
| | eval Workflowtype=if(Type="Workflow actions", type, null()) | |
| | rename eai:acl.* as * | |
| | foreach "eai:data" search definition stanza value transform tag* filename fields_list collection external_type description *cron* is_scheduled schedule_window action* alert* args errormsg validation earliest_time latest_time header_label order display_location fields eventtypes REGEX FORMAT link.* search.* display.* type alias.* label field* overwrite lookup.* | |
| [ eval restoreparametercreate=if(match("<<FIELD>>", "lookup\.field") AND Type="Automatic lookups", mvjoin(mvappend(restoreparametercreate, "-d <<FIELD>>=\"".coalesce('<<FIELD>>',"")."\""), " "),mvjoin(mvappend(restoreparametercreate, "-d <<FIELD>>=\"".'<<FIELD>>'."\""), " "))] | |
| | foreach "eai:data" search definition value transform tag* filename fields_list collection external_type description *cron* is_scheduled schedule_window action* alert* args errormsg validation earliest_time latest_time header_label order display_location fields eventtypes REGEX FORMAT link.* search.* display.* alias.* label overwrite lookup.* | |
| [ eval restoreparameterupdate=if(match("<<FIELD>>", "lookup\.field") AND Type="Automatic lookups", mvjoin(mvappend(restoreparameterupdate, "-d <<FIELD>>=\"".coalesce('<<FIELD>>',"")."\""), " "),mvjoin(mvappend(restoreparameterupdate, "-d <<FIELD>>=\"".'<<FIELD>>'."\""), " "))] | |
| | foreach "sharing" "perms.read" "perms.write" owner | |
| [ eval restoreparameteracl=if(match("<<FIELD>>", "lookup\.field") AND Type="Automatic lookups", mvjoin(mvappend(restoreparameteracl, "-d <<FIELD>>=\"".coalesce('<<FIELD>>',"")."\""), " "),mvjoin(mvappend(restoreparameteracl, "-d <<FIELD>>=\"".'<<FIELD>>'."\""), " "))] | |
| | rex field=restoreparameterupdate mode=sed "s/-d Workflowtype=/-d type=/g" | |
| | eval createid=id | |
| | rex mode=sed field=createid "s/(.*)\/[^\/]+$/\1/g" | |
| | eval restoreparametercreate="-d name=" . title . " " . restoreparametercreate | |
| | fields id createid title restoreparameter* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment