Run predefined search sub-query in splunk - splunk

I am using a splunk query which always includes specific sub-query:
host="aaa" AND host ="bbb" AND host="ccc"
So for instance I do 2 different searches like:
host="aaa" AND host ="bbb" AND host="ccc" "MyClass" "id=3"
host="aaa" AND host ="bbb" AND host="ccc" "MyClass" "id=6"
and so on.
Is there a way to save somewhere predefined part of the query nad reuse it? So I could run my searches like
myquery="hosts_include" "MyClass" "id=3"
myquery="hosts_include" "MyClass" "id=6"
Or any other syntax which will simplify my query so I do not have to copy and paste the redundant sub query every time.

Use a macro. Go to Settings->Advanced search->Macros and define a new macro (call it "hosts", for example). Then invoke the macro in your queries by enclosing the name in backticks.
`hosts` "MyClass" "id=3"
`hosts` "MyClass" "id=6"

Related

Ansible dynamic variable

I have a file that looks like this:
message1,abcde,loc
message2,kkjojao,ethd
message3,abcde,eth4
I want to filter the file to create a lists that should look like this (similar value at the second position):
message1,abcde,loc
message3,abcde,eth4
and then send the messages using a task.
How can I do it with Ansible?
There is a csvfile lookup that you can use for the input, and plenty jinja2 filters.

Azure Data Factory - Switch Activity - File name startsWith

I need to create a Azure Data Factory pipeline which has to first format the source file and then call another pipeline. The pipeline would be triggered every time a new file is uploaded in the source blob storage. I want to re-use this pipeline for different source file formats.
For this I intend to use a Switch activity and based on the source file name, call corresponding Copy activity to create a formatted sink file. The issue is that the source files have standard prefixes but then have a timestamp, which means that file name would be different every time, something like:
File 1:
ABCDEF_1233
ABCDEF_2244
File 2:
UVWXYZ_1222
UVWXYX_2345
Can anyone help me understand how to do this?
I was thinking of using a Switch activity, and in the expression, use the #startsWith(triggerBody().fileName, ) and then in the CASE statements, I would like to provide the file name prefixes like ABCDEF, UVWXYZ etc. and then call a copy activity for each of the CASE statements.
But I am not sure how to specify the second argument in the startsWith() function.
suppose you have the filename in a variable called filename. write expression like this to find out which file we are going to load.
Have a set variable activity and assign file prefix to another variable called prefix
#if(greater(indexof(filename),'ABCDEF'),0),'ABCDEF',if(greater(indexof(filename),'UVWXYZ'),0),'UVWXYZ'))
At the end of this set variable, your prefix will have either ABCDEF or UVWXYZ
Then, you can use a switch activity based on prefix variable and mention the cases as
ABCDEF
UVWXYZ
for each case, you can have a copy activity for doing related transforamtions.

Storing fish shell aliases in another file

I have a config.fish in ~/.config/fish. While editing my fish_prompt I accidentally deleted my aliases once. I did have backup, but I want to store all aliases separately from now on. Also, how can I auto-load all of my aliases when I source the newly-edited config.fish?
I have alias update="source ~/.config/fish/config.fish". So if I make change to the location of my config.fish and edit the alias as necessary, next time I update the updated alias should reflect in the updated config. How can I do this?
There are a few things fish offers here:
Files in ~/.config/fish/functions named after a function (plus a ".fish" ending) will be autoloaded once that function is called
Files in ~/.config/fish/conf.d/ (with a ".fish" ending) will be sourced before config.fish
So you can either put your functions/aliases in a function file each, or put them in files in conf.d in whatever grouping you want.
Also you can put your fish_prompt in its own file - ~/.config/fish/functions/fish_prompt.fish
(also "alias" is simply a cheesy helper function to make functions - the core shell has no concept of aliases)

Dynamically generate url for HTTP source

I'm trying to call a http endpoint. For that I need to specify a url that uses a query string to filter data.
Sample URL: http://example.com?date=2017-10-04T22:18.007Z
I need to use the current system time as a value for date query string.
I created a script and assigned the generated url with the current datetime to a variable. However, when I assigned that variable for the url field in the source HTTP definition, it did not resolve the variable.
Is there a way to solve this issue?
I do this all the time. As long as your script is running properly (you can test that with the test feature on the script), you are writing the URL value to a global variable (something like $URL), and you are writing that global variable out in your target (something like [URL]), it should work.
If you want to show your script (just where you are creating the URL), and your target URL field that could help narrow down the problem.

How do I write a robust structural search template to report Mockito times(1)/Times(1) passed to verify in IntelliJ IDEA?

In my project Mockito.times(1) is often used when verifying mocks:
verify(mock, times(1)).call();
This is redundant since Mockito uses implicit times(1) for verify(Object), thus the following code does exactly what the code above does:
verify(mock).call();
So I'm going to write an a structural search drive inspection to report such cases (let's say, named something like Mockito.times(1) is redundant). As I'm not an expert in IntelliJ IDEA structural search, my first attempt was:
Mockito.times(1)
Obviously, this is not a good seach template because it ignores the call-site. Let's say, I find it useful for the following code and I would not like the inspection to trigger:
VerificationMode times = Mockito.times(1);
// ^ unwanted "Mockito.times(1) is redundant"
So now I would like to define the context where I would like the inspection to trigger. Now the inspection search template becomes:
Mockito.verify($mock$, Mockito.times(1))
Great! Now code like verify(mock, times(1)).call() is reported fine (if times was statically imported from org.mockito.Mockito). But there is also one thing. Mockito.times actually comes from its VerificationModeFactory class where such verification modes are grouped, so the following line is ignored by the inspection:
verify(mockSupplier, VerificationModeFactory.times(1)).get();
My another attempt to fix this one was something like:
Mockito.verify($mock$, $times$(1))
where:
$mock$ is still a default template variable;
$times$ is a variable with Text/regexp set to times, Whole words only and Value is read are set to true, and Expression type (regexp) is set to (Times|VerificationMode) -- at least this is the way I believed it should work.
Can't make it work. Why is Times also included to the regexp? This is the real implementation of *.times(int), so, ideally, the following line should be reported too:
verify(mockSupplier, new Times(1)).get();
Of course, I could create all three inspection templates, but is it possible to create such a template using single search template and what am I missing when configuring the $times$ variable?
(I'm using IntelliJ IDEA Community Edition 2016.1.1)
Try the following search query:
Mockito.verify($mock$, $Qualifier$.times(1))
With $Qualifier$ text/regexp VerificationModeFactory|Mockito and occurrences count 0,1 (to find it when statically imported also).
To also match new Times(1) you can use the following query:
Mockito.verify($mock$, $times$)
With $times$ text/regexp .*times\s*\(\s*1\s*\) and uncheck the Case sensitive checkbox.