-
Notifications
You must be signed in to change notification settings - Fork 0
/
splunk_regex_parser.py
57 lines (44 loc) · 1.5 KB
/
splunk_regex_parser.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
import argparse
import configparser
import re
from itertools import chain
p = argparse.ArgumentParser(description='Parses transform regex with substituted patterns.')
p.add_argument('file', help='A Splunk config file like transforms.conf.')
p.add_argument('stanza', help='The transform section/stanza.')
args = p.parse_args()
config = configparser.ConfigParser()
with open(args.file) as f:
try:
config.read_file(f)
except configparser.MissingSectionHeaderError:
f = chain(['[DEFAULT]'], f)
config.read_file(f)
splunk_re_subst = re.compile(r'\[\[(?P<section>[^]]+?)(?::(?P<name>.+?))?\]\]')
def get_regex(section_name):
# print('getting regex')
regex = config.get(section_name, 'REGEX')
matches = splunk_re_subst.findall(regex)
if matches:
# print(matches)
for match in matches:
# print(match)
s, n = match
# print(s, n)
match_regex = get_regex(s)
if n:
regex = regex.replace(
'[[%s:%s]]' % (s, n),
'(?<%s>%s)' % (n, match_regex))
else:
regex = regex.replace(
'[[%s]]' % s,
'(%s)' % match_regex)
return regex
def escape_delimiters(regex):
return regex.replace('/', '\/')
def remove_empty_name_placeholders(regex):
return regex.replace('?<>', '')
regex = get_regex(args.stanza)
regex = escape_delimiters(regex)
regex = remove_empty_name_placeholders(regex)
print(regex)