Data Generator doesn't set host field via token

[ghost]

The following configuration in pytest-splunk-addon-data.conf does replace the tokens as expected, but the ingested data shows a value of Barracuda.logfor field host. Therefore test Test_App.test_indextime_key_fields fails.

[Barracuda.log]
sourcetype = barracuda
#source =
#sourcetype_to_search = barracuda
host_type = plugin
input_type = file_monitor
index = main
sample_count = 20
#expected_event_count =
timestamp_type = event
#breaker =

token.1.token = ##time1##
token.1.replacementType = timestamp
token.1.replacement = %b %d %H:%M:%S
token.1.field = _time

token.2.token = ##host##
token.2.replacementType = random
token.2.replacement = host["ipv4"]
token.2.field = host

token.3.token = ##time2##
token.3.replacementType = timestamp
token.3.replacement = %Y-%m%d %H:%M:%S.%3Q +%z

The following config using host_type = plugin produces the exact same result.

[Barracuda.log]
sourcetype = barracuda
#source =
#sourcetype_to_search = barracuda
host_type = plugin
input_type = file_monitor
index = main
sample_count = 20
#expected_event_count =
timestamp_type = event
#breaker =

token.1.token = ##time1##
token.1.replacementType = timestamp
token.1.replacement = %b %d %H:%M:%S
token.1.field = _time

token.2.token = ##host##
token.2.replacementType = random
token.2.replacement = host["ipv4"]
#token.2.field = host

token.3.token = ##time2##
token.3.replacementType = timestamp
token.3.replacement = %Y-%m%d %H:%M:%S.%3Q +%z

Test output:

---------------------------------------------------------------------------------------------- Captured log call -----------------------------------------------------------------------------------------------
DEBUG    pytest-splunk-addon:test_templates.py:80 Base search for indextime key field test: search (index=*) sourcetype=barracuda host IN ("Barracuda.log") | table host
DEBUG    pytest-splunk-addon:test_templates.py:88 Results:[{'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}, {'host': 'Barracuda.log'}]
INFO     pytest-splunk-addon:test_templates.py:143 Some values for the following key fields are missing

Key_field | Expected_values                                                                                                                                                                                                                                                                                                        | Actual_values
--------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -----------------
host      | {'172.16.51.6', '172.16.51.7', '172.16.51.3', '172.16.51.18', '172.16.51.12', '172.16.51.8', '172.16.51.17', '172.16.51.19', '172.16.51.10', '172.16.51.11', '172.16.51.1', '172.16.51.15', '172.16.51.4', '172.16.51.16', '172.16.51.0', '172.16.51.9', '172.16.51.5', '172.16.51.13', '172.16.51.2', '172.16.51.14'} | {'Barracuda.log'}

System information:

platform darwin -- Python 3.8.6, pytest-6.1.1, py-1.9.0, pluggy-0.13.1 -- /usr/local/opt/[email protected]/bin/python3.8
using: pytest-6.1.1 pylib-1.9.0
setuptools registered plugins:
  lovely-pytest-docker-0.2.0 at /usr/local/lib/python3.8/site-packages/lovely/pytest/docker/compose.py
  pytest-splunk-addon-1.3.9 at /usr/local/lib/python3.8/site-packages/pytest_splunk_addon/plugin.py
  pytest-splunk-addon-1.3.9 at /usr/local/lib/python3.8/site-packages/pytest_splunk_addon/splunk.py
  pytest-xdist-2.1.0 at /usr/local/lib/python3.8/site-packages/xdist/plugin.py
  pytest-xdist-2.1.0 at /usr/local/lib/python3.8/site-packages/xdist/looponfail.py
  pytest-forked-1.3.0 at /usr/local/lib/python3.8/site-packages/pytest_forked/__init__.py
  Faker-4.14.0 at /usr/local/lib/python3.8/site-packages/faker/contrib/pytest/plugin.py

[monishshah-crest]

@emk3y
Here there are two issues:

• In the first stanza log, where token.2.field=host is provided, there should be host_type = event as host assignment is being done via token. Hence, test would fail as it is ingesting different host and tests are asserting different hosts.

• For the second stanza log, host_type=plugin works as there is token.2.field = host and tests fail. But in the Splunk, Events wouldn't have host as Ip's(Ex: 172.15.1.1) something like that.

[ghost]

Thanks for the fast reply! You're correct, the combination in the first example is wrong. It was one of many tests, so I made an copy+paste error.

So i retried the following configuration:

[Barracuda.log]
sourcetype = barracuda
#source =
#sourcetype_to_search = barracuda
host_type = event
input_type = file_monitor
index = main
sample_count = 20
#expected_event_count =
timestamp_type = event
#breaker =

token.1.token = ##time1##
token.1.replacementType = timestamp
token.1.replacement = %b %d %H:%M:%S
token.1.field = _time

token.2.token = ##host##
token.2.replacementType = random
token.2.replacement = host["ipv4"]
token.2.field = host

token.3.token = ##time2##
token.3.replacementType = timestamp
token.3.replacement = %Y-%m%d %H:%M:%S.%3Q +%z

This leads to the following errors:

=========================================================================================== short test summary info ============================================================================================
FAILED test_addon.py::Test_App::test_indextime_key_fields[barracuda::172.16.51.0_to_172.16.51.19] - AssertionError: No Events found for query search (index=*) sourcetype=barracuda host IN ("172.16.51.9","1...
FAILED test_addon.py::Test_App::test_indextime_time[barracuda::172.16.51.0_to_172.16.51.19] - AssertionError: No Events found for query: search (index=*) sourcetype=barracuda host IN ("172.16.51.9","172.16...
FAILED test_addon.py::Test_App::test_indextime_line_breaker[barracuda::Barracuda.log] - AssertionError: Query: search (index=*) sourcetype=barracuda host IN ("172.16.51.9","172.16.51.13","172.16.51.3","172...

This is due to the value of the hostfield, as the following Search shows:

index=* sourcetype="barracuda" | stats count by index source sourcetype host
---
index,source,sourcetype,host,count
main,"pytest_splunk_addon:hec:raw",barracuda,"Barracuda.log",20

Just to make sure I understand the expected behavior correctly - with host_type = event and token.2.field = host set the host field should be populated by the Data Generator and does not expect the packaged app to extract the host value at this point. Right?

[monishshah-crest]

From the above query's result index=* sourcetype="barracuda" | stats count by index source sourcetype host it is observed that host is somewhat changes maybe (FIELDALIAS/EVAL etc) operations are being performed by the ADDON which might be leading to such failures.

Regarding second query, yes host_type = event and token.2.field = host sets the host field via Data generator but once Ingested in Splunk, it's value may change depending on ADDON's props/transforms as mentioned above.

[ghost]

Until now the package doesn't actually contain any real content as I was trying to get the test environment up and running as a test. So there is nothing in there that could've rewritten the host field.

Additionally, looking at .tokenized_values/Barracuda.log.json it shows the same value for host as well.

{
	"Barracuda.log": {
		"metadata": {
			"host": "Barracuda.log",
			"source": null,
			"sourcetype": "barracuda",
			"timestamp_type": "event",
			"input_type": "file_monitor",
			"expected_event_count": 20,
			"index": "main"
		},
...