ksconf filter fails to extract a stanza containing square brackets

Question

ksconf filter fails to extract a stanza containing square brackets

guilhemmarchand opened this issue 3 years ago · comments

The problem

If a stanza contains square brackets in its name (which Splunk will allow), the ksconf filter command fails to extract its definition.

Environment

Ksconf version: ksconf 0.8.7 (Build 669)
OS & version used: Linux Ubuntu / Debian / RHEL / CentOS
Python version: py3
Installed via: Splunk app

Details

The command ksconf filter fails to render any results if the stanza contains [ ] in its name, without any specific errors.
The following two searches in a fully virgin instance:

The following shows the issue:

[splunk@splunk splunk]$ /opt/splunk/bin/ksconf filter --stanza "Test - Sample1" /opt/splunk/etc/apps/search/local/savedsearches.conf 
[Test - Sample1]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = | makeresults\
| eval action="failed", subject="foo"
[splunk@splunk splunk]$ /opt/splunk/bin/ksconf filter --stanza "Test - Sample1 [this fails]" /opt/splunk/etc/apps/search/local/savedsearches.conf 
[splunk@splunk splunk]$ /opt/splunk/bin/ksconf filter --stanza 'Test - Sample1 [this fails]' /opt/splunk/etc/apps/search/local/savedsearches.conf 
[splunk@splunk splunk]$ /opt/splunk/bin/ksconf filter --stanza 'Test - Sample1 \[this fails\]' /opt/splunk/etc/apps/search/local/savedsearches.conf 
[splunk@splunk splunk]$ /opt/splunk/bin/ksconf filter --stanza 'Test - Sample1 "["this fails"]"' /opt/splunk/etc/apps/search/local/savedsearches.conf

It's been confirmed on different systems and plateforms.

Steps To Reproduce Issue [ Good To Have ]

Please remember that sample configs often make problems easier to reproduce making it faster to fix the bug.

Create a report containing [ ] in its name
Try to extract its definition via ksconf filter

Many thanks!

Lowell Alleman · Answer 1 · Wed Jun 09 2021 05:34:30 GMT+0800 (China Standard Time)

The issue here is the filter "match" mode defaults to wildcard, which just uses fnmatch() internally. And technically, fnmatch allows [] character range matches. In automation cases, for example, where it's advantageous to avoid wildcard matching, then I suggest forcing literal matching use the --match=string option.

So while this returns no matches:

ksconf filter --stanza 'Test - Sample1 [this fails]' savedsearches.conf

This will grab the desired stanza:

ksconf filter --stanza --match string 'Test - Sample1 [this fails]' savedsearches.conf

Unfortunately, I had to pick one default behavior. In this case, I'm prioritizing interactive use cases over batch-processing; knowing that typing some extra arguments (i.e., --match string) is pretty cheap in a script, but a pain if you'd have to keep specifying "wildcard" in interactive use cases: ksconf filter --match wildcard 'project_alert_*'