icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Roost
SHA256 checksum (roost_12.tgz) 8913487a7456b33791f9aeec512beead5bd18b07ab1c2b48d5c02d6d65978407 SHA256 checksum (roost_10.tgz) 7038d242be5822e8f0853848f83ae7befcec2282047a826875442ec1d3147900 SHA256 checksum (roost_09.tgz) 4aab6a84e17236b6c1f643d63dc6e55c0a36e695b4700378e6c8f6caca4b1ea6 SHA256 checksum (roost_07.tgz) 5eaf177609a82cf945a30b744e3cd8b44c25c20e7d4bd0d8bd91de0dd0d940c8 SHA256 checksum (roost_05.tgz) 26fab91c557a77b156ea8aa193819a2eed40002141e9a5469beb765cf7deef1a
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Roost

This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
Roost provides a modular input to gather data from your Nest Thermostat.

Installation:

  1. Download the App
  2. Unzip the App into $SPLUNK_HOME/etc/apps
  3. Restart Splunk
  4. Create your Modular Input for each Nest account (Settings -> Data Inputs)
  5. NOTE: MAKE SURE YOU SET THE INTERVAL SETTING TO 60 UNDER MORE SETTINGS!!!!!!!

If configured properly, you should start seeing data within 5 minutes. Once data is flowing properly, you can run the "Nest Admin - Regenerate Lookups" dashboard to create your lookups without having to wait!

Data Estimate: I've estimated this app uses around 10MB/day.

Getwatchlist Documentation

Scripts and binaries

This App provides the following scripts:

getwatchlist.py
Fetches different watchlists for processing and output.

About My LongName

<div class="note"> If you were using a previous version, please make sure to read about the changes in the configuration file locations, and backup any custom configurations you may have prior to upgrading! </div>

Requirements

This custom command has been tested on Splunk 8 and higher. If you want to pull down lists off of the internet, your search head will need to have internet access.

Installation

To install, copy the downloaded tarball to the $SPLUNK_HOME/etc/apps directory and expand. This will create a directory named getwatchlist which contains the sample configuration file, the command.conf to enable the command, as well as permissions to enable usage of the command globally in Splunk. Splunk will need to be restarted for the new application and configuration to take.

Usage

Options for getwatchlist can be supplied via the search options passed in the search box, a configuration file, or a combination of the two. The first argument passed to getwatchlist is the name of a profile in the configuration file. If a profile exists, it will be loaded first, and then options passed via the search command will be used to overwrite the stored settings. If the profile does not exist, default settings are used.

Options are passed in a key=value fashion. Arguments that are passed and are not known arguments will be appended as custom fields. So if I add a field of:

spam=tasty

Each line of the CSV which is returned will have a column named "spam", with a value of "tasty".

If there are additional columns in the list which you would like to be output as well, you can tell the command which column, and what the name if it should be. To do this, use an integer (the column number you would like to include), and give it a name for the column. To include column 3 of a list, and name the column "enddate", you would add 3=enddate to your command parameters or configuration.

Here are options which can be passed, or used in the configuration file:

categoryCol
The column number of any category field in the fetched file.

comment (default: #)
The character which is used to denote a commented out line .

dateCol
The column number of any date field in the file which you would like to use for reference.

delimiter (default: \t)
The delimiter field of the fetched file .

ignoreFirstLine (default: False)
Some watchlists contain a header which is not commented out. If this is set to "True" this line will be ignored.

relevantFieldCol (default: 1)
The column number (starting at 1) which contains the key value you would like to use .

relevantFieldName (default: ip_address)
What you would like the field to be named in the CSV output (not the name in the fetched CSV) .

referenceCol
The column number of any reference field in the fetched CSV.

url
The URL of the file to be retrieved (HTTP, HTTPS or FTP).

authUser
Username to use for authentication (HTTP Basic or FTP)

authPassword
Password to use for authentication (HTTP Basic or FTP)

proxyHost
Hostname or IP of the HTTP proxy to be used for HTTP and HTTPS connections

proxyPort
Port for the HTTP proxy

Configuration File

Configurations are kept in files named getwatchlist.conf. An example of this file is in the /default/ directory of the application. It contains example profiles which are ready to use. Any custom configuration items in the /local/ version of the .conf file will override or add on to any settings in the /default/ file, much like normal Splunk configuration. Additionally, settings entered via the search command will override both the /default/ and /local/ settings.

The "globals" section of the configuration file can be used for proxy configuration. By using the globals section, the command will use those settings by default, but can be overridden using command or profile settings.

Event Generator

My LongName does not include an event generator.

Acceleration

  • Summary Indexing: No

  • Data Model Acceleration: No

  • Report Acceleration: No

Third Party

Version _VERSION_ of My LongName incorporates the following Third-party software or third-party services.

  • pylightxl

  • splunklib

  • tld

Examples

Splunk Searches to output a watchlist

Spamhaus DROP list from config file

|getwatchlist spamhaus

Spamhaus DROP list via URL

|getwatchlist spamhaus url=https://www.spamhaus.org/drop/drop.lasso delimiter=; relevantFieldName=’sourceRange’ relevantFieldCol=1 referenceCol=2 ignoreFirstLine=True comment=;

Generic URL

|getwatchlist default url=https://www.google.com/robots.txt spam=tasty relevantFieldName=action

|getwatchlist txt url=https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt relevantFieldName=src_ip

XLSX Document

| getwatchlist xlsx url=https://www.tn.gov/content/dam/tn/health/documents/cedep/novel-coronavirus/datasets/Public-Dataset-Data-Dictionary.xlsx sheetIndex=1 autoExtract=1 ignoreFirstLine=1

| getwatchlist xlsx url=https://www.cdc.gov/vaccines/programs/iis/downloads/Preview-Posting-of-COVID-19-Vaccine-Codes-and-Crosswalk-20220831.xlsx sheetIndex=1 ignoreFirstLine=1

CSV Document

| getwatchlist csv url=https://corgis-edu.github.io/corgis/datasets/csv/billionaires/billionaires.csv

XLS Document

XLS Documents ARE NOT Supported due to out-of-date protocols. Convert to XLSX, CSV, or JSON.

JSON Document

This example uses an encoded url to make sure parameters are sent to the endpoint correctly. Encoded URLs are automatically unencoded. The JSON profile with autoExtract set as false, will return the response in a _raw field, that can be used for further processing with commands.

| getwatchlist json url=https%3A%2F%2Fqrng.anu.edu.au%2FAPI%2FjsonI.php%3Flength%3D100%26type%3Duint8 autoExtract=0 { extract reload=true

This example uses an encoded url, but also includes a dataKey to target a list of data to use for the rows in the response.

| getwatchlist json url=https%3A%2F%2Fservices1.arcgis.com%2FFjPcSmEFuDYlIdKC%2Farcgis%2Frest%2Fservices%2FEelgrass_2006_Points_Beds%2FFeatureServer%2F1%3Ff%3Dpjson dataKey=fields

This example uses Splunk to encode the URL:

| makeresults | eval url="https://services1.arcgis.com/FjPcSmEFuDYlIdKC/arcgis/rest/services/Eelgrass_2006_Points_Beds/FeatureServer/1?f=pjson" | `urlencode("url")` | map [ getwatchlist json url=$url$ dataKey=fields]

The expandObjects command flag can be used when the source data is an Object with Keys, and those keys are objects that have the fields located within in them.

Sample Data (served locally on 5555):

{ "0": {"field1": "value1", "field2": "value2"}, "something": {"field1": "value2", "field2": "value3"}}

Example:

| getwatchlist json url=http://localhost:5555/ expandObjects=1

Example output:

field1 field2
value1 value2
value2 value3

The dictKeys command flag can be used to pull a column that is an object, and make it a row with the headers added to the table.

Example:

| getwatchlist json url=https%3A%2F%2Fservices1.arcgis.com%2FFjPcSmEFuDYlIdKC%2Farcgis%2Frest%2Fservices%2FEelgrass_2006_Points_Beds%2FFeatureServer%2F1%3Ff%3Dpjson dictKeys="extent,geometryProperties,advancedQueryAnalyticCapabilities" { fields spatialReference xmin ymax supportsLinearRegression shape*

Configuration File Examples

Examples can be found in the $APP_HOME/default/getwatchlist.conf

Splunk Searches using saved lookups

Using a subsearch from the CSV: index="webproxy" [}inputlookup phishtank.csv | fields uri]

Using a configured lookup: index="webproxy" | lookup phishtank uri | search isbad=true

Support and Resources

Questions and answers

Access questions and answers specific to My LongName at https://answers.splunk.com/app/questions/4227.html . Be sure to tag your question with the App.

Support

For further inspection in the logs, set the DEBUG flag on the loggers in default/log.cfg

Diag can be generated via $SPLUNK_HOME/bin/splunk diag --collect=app:getwatchlist

Release notes

Version 1.2.1

  • Added Upgrader to check and remove (if configured) non-manifest apps.

Version 1.2.0

  • Removed getwatchlist_orig.py for Cloud compat

  • CSV, TXT, JSON, XLSX formats are supported directly using profiles.

  • Enhanced auto-parsing of CSV, JSON, XLSX formats.

Version 1.1.7

  • Fixed issue with App Setup Configuration being forced

Version 1.1.6

  • Fix issue where URLs would not be called without a profile name.

  • Fix issue with pass-through field names and values.

Version 1.1.5

  • Fix issue when URL is specified with parameters in search bar

Version 1.1.3

  • Fix invalid stanza on startup

Version 1.1.2

  • Remove unnecessary files

Version 1.1.1

  • Updated to Python 3 for Splunk 8 and above.

Version 1.0.0

Added:

  • Better error handling and output in Splunk

  • The ability to add values from other columns in the fetched list.

Changed:

  • The configuration file has been made more Splunk-like. An example file is in /default/ and custom profiles or configs can be added to a getwatchlist.conf in the /local/ directory.

  • The URL for Malware Domains has been updated as from 8/1/11 the domains.txt file will only be available from mirrors

Security:

  • Note that a potential security vulnerability was found in version 0.7. Users are urged to update.

Inputs

ptag_upgrader
ptag_upgrader://d0a05452-cb76-4a4e-b374-f3b881900b26

Release Notes

Version 1.2
July 30, 2014
  1. Removed the conflict with a different Nest Splunk App. You will need to redefine your inputs!
  2. Converted data feed into JSON!
  3. Cleared up some bugs!
  4. Added a "Nest Admin" dashboard to repopulate your lookups on-demand!
  5. Added Schedules!
  6. Removed dependency on TA-wunderground data!
Version 1.0
Jan. 14, 2014

Added Support for multiple devices and buildings! Updated graphs to use fancy accordions!

Version 0.9
Dec. 16, 2013

Added Energy Viz on Current Status Page.
Converted Current Status to HTML.

Version 0.7
Dec. 11, 2013

Optimized the System State metrics.
New Visualizations for the Leafable panel.

Version 0.5
Dec. 3, 2013

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.