ksconf filter fails to extract a stanza containing square brackets
guilhemmarchand opened this issue · comments
The problem
If a stanza contains square brackets in its name (which Splunk will allow), the ksconf filter command fails to extract its definition.
Environment
- Ksconf version: ksconf 0.8.7 (Build 669)
- OS & version used: Linux Ubuntu / Debian / RHEL / CentOS
- Python version: py3
- Installed via: Splunk app
Details
The command ksconf filter fails to render any results if the stanza contains [ ] in its name, without any specific errors.
The following two searches in a fully virgin instance:
The following shows the issue:
[splunk@splunk splunk]$ /opt/splunk/bin/ksconf filter --stanza "Test - Sample1" /opt/splunk/etc/apps/search/local/savedsearches.conf
[Test - Sample1]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = | makeresults\
| eval action="failed", subject="foo"
[splunk@splunk splunk]$ /opt/splunk/bin/ksconf filter --stanza "Test - Sample1 [this fails]" /opt/splunk/etc/apps/search/local/savedsearches.conf
[splunk@splunk splunk]$ /opt/splunk/bin/ksconf filter --stanza 'Test - Sample1 [this fails]' /opt/splunk/etc/apps/search/local/savedsearches.conf
[splunk@splunk splunk]$ /opt/splunk/bin/ksconf filter --stanza 'Test - Sample1 \[this fails\]' /opt/splunk/etc/apps/search/local/savedsearches.conf
[splunk@splunk splunk]$ /opt/splunk/bin/ksconf filter --stanza 'Test - Sample1 "["this fails"]"' /opt/splunk/etc/apps/search/local/savedsearches.conf
It's been confirmed on different systems and plateforms.
Steps To Reproduce Issue [ Good To Have ]
Please remember that sample configs often make problems easier to reproduce making it faster to fix the bug.
- Create a report containing [ ] in its name
- Try to extract its definition via ksconf filter
Many thanks!
The issue here is the filter "match" mode defaults to wildcard
, which just uses fnmatch()
internally. And technically, fnmatch allows []
character range matches. In automation cases, for example, where it's advantageous to avoid wildcard matching, then I suggest forcing literal matching use the --match=string
option.
So while this returns no matches:
ksconf filter --stanza 'Test - Sample1 [this fails]' savedsearches.conf
This will grab the desired stanza:
ksconf filter --stanza --match string 'Test - Sample1 [this fails]' savedsearches.conf
Unfortunately, I had to pick one default behavior. In this case, I'm prioritizing interactive use cases over batch-processing; knowing that typing some extra arguments (i.e., --match string
) is pretty cheap in a script, but a pain if you'd have to keep specifying "wildcard" in interactive use cases: ksconf filter --match wildcard 'project_alert_*'