contentctl icon indicating copy to clipboard operation
contentctl copied to clipboard

Published 20 hours ago verified publisher icon splunk

Add import command

Open 0xC0FFEEEE opened this issue 2 years ago • 1 comments

This PR adds support for importing updated searches from an existing savedsearches.conf.

contentctl -p <path_to_content> import -c <path_to_savedsearches.conf>

For the sake of simplicity I opted to read the detection rules, update the search string and write the updated yml back. Whilst it's not perfect, at the very least it's idempotent and only updates detections with updated searches.

I'd value any feedback or contributions (from Splunk and customers) for the next round of updates to this feature branch 🙂

0xC0FFEEEE avatar Nov 25 '23 15:11 0xC0FFEEEE

Updated to use YmlReader and YmlWriter, do some cleanup of imports and add some useful console output.

0xC0FFEEEE avatar Nov 29 '23 00:11 0xC0FFEEEE

Unfortunately, we have sat on this PR for a long time and there are a number of other changes we'd like to make to support it. There have been huge changes to the contentctl codebase in that time. As such, I am going to close this PR, but have opened an issue to track this as a requested feature and linked back to this PR for visibility (and so that we have a clear record of the implementation work that's already been done).

Linked issue for tracking: https://github.com/splunk/contentctl/issues/275

pyth0n1c avatar Aug 30 '24 19:08 pyth0n1c