Skip to content

Releases: splunk/contentctl

v3.6.0

23 Apr 21:34
b14038b
Compare
Choose a tag to compare

This version includes a small change that writes additional information to savedsearches.conf.
The file now includes a metadata field showing:

  1. Whether or not a detection is deprecated
  2. The current version of the detection
  3. the UUID of the detection.

Here are some examples:
image

image

Please see the following link for more detail on the PR:
#132 (comment)

v3.5.0

12 Apr 17:24
7ccf55e
Compare
Choose a tag to compare

This release includes improvements around Integration Testing Functionality and now properly respects the manual_test flag. Previously, detections labeled as manual_test would show as errors at the conclusion of the test, but they now render as SKIPPED.

Release note generation is also improved.

v3.4.3

01 Apr 18:57
03f9e9b
Compare
Choose a tag to compare

Remove verbose print which could expose sensitive arguments during ACS deploy.

v3.4.2

20 Mar 23:01
3c88c7c
Compare
Choose a tag to compare

Update how long we wait for the appinspect api to return results.
First, wait for 40 seconds, then check every subsequent second for the results (appinspects always take at least 40 seconds).
This reduces the wait time for an appinspect without creating undue stress on the appinspect endpoint.

v3.4.1

20 Mar 18:57
c93834c
Compare
Choose a tag to compare

The ACS deploy endpoint address was incorrect - causing ACS Deploy command to fail.

This failure has been fixed.

v3.4.0

20 Mar 16:17
3e194e3
Compare
Choose a tag to compare

This release brings a number of exciting features and fixes. The most significant are as follows:

  • ACS Deploy Support - contentctl can now deploy your app directly into your Classic OR Victoria Splunk Cloud Stack! #114
  • Enable Specified Searches by Default - You can now enable a search in your environment by default (instead of disabled by default) on app build time. When this app is deployed, the search will be scheduled to run. To do this, add the following key to your YML: enabled_by_default: True #116
  • Allow Comments in Searches - This fixes a bug where comments could be parsed as macros and cause validation failures. Now, you can include inline comments in the search field of your detection YMLs. #115

v3.3.0

21 Feb 19:07
05fe9fa
Compare
Choose a tag to compare

Change enrichment CLI Behavior

New release to power the change from
--disable_enrichment
to
--enable_enrichment

v3.2.0

16 Feb 18:28
a93e097
Compare
Choose a tag to compare

Improve content development/testing performance

This release adds two new features.
First is the --skip_enrichment command which can be used as follows:

contentctl --skip_enrichment validate
contentctl --skip_enrichment build
contentctl --skip_enrichment test

This command line switch overrides the enrichments values contained in contentctl.yml, enabling contentctl commands to run MUCH faster by optionally disabling enrichment. Enrichment should still be used for final testing and release builds of content.

Second, since test environments take so long to be configured, by default they will be re-used for subsequent tests. This means that a container test environment, once it has been created, will remain running until it is manually terminated. This behavior can be overwritten by setting the option contentctl_test.yml ---> infrastructure_config ---> persist_and_reuse_container = True.
Note that if a test container does not exist when a test begins, it will be created. Finally, the presence of additional messages on the command line when running contentctl test indicates that this feature is active:

Container [splunk_contentctl_0] has NOT been terminated because 'contentctl_test.yml ---> infrastructure_config ---> persist_and_reuse_container = True'
To remove it, please manually run the following at the command line: `docker container rm -fv splunk_contentctl_0`

If you have made changes to your environment since it was built, such as adding new apps/TAs, OR you have updated any content that is NOT a detection (such as a macro or lookup), then please terminate your container and rerun contentctl test. At this time, those artifacts are not reflected into the persistent test environment.

v3.1.0

15 Feb 22:28
e246e36
Compare
Choose a tag to compare

Add Integration Testing

Integration Testing has been added to ensure proper creation of notables/observables in Splunk Enterprise Security.
This is an advanced feature which can be enabled with on the command line via contentctl test --enable_integration_testing. If doing so, please ensure that Splunk Enterprise Security is installed in your environment.

A number of additional stability and internal improvements were made to enable this change. Each test now runs a UNIT TEST and an INTEGRATION TEST. In the default behavior (without using --enable_integration_testing) these tests will appear as skipped.

In the near future, more verbose documentation will be published around the use of this feature.

Thank you to @cmcginley-splunk for his excellent work on these updates!

v3.0.2

31 Jan 23:04
59abf0e
Compare
Choose a tag to compare

Fixed a small bug in contentctl new which would not populate the status or description field correctly when creating a new detection.