splunk: add index to options

stix_shifter_modules/splunk/configuration/config.json

@@ -24,7 +24,13 @@
         "selfSignedCert": {
             "type": "password",
             "optional": true
-        }
+        },
+	"options": {
+            "index": {
+                "type": "text",
+                "optional": true
+	    }
+	}
     },
     "configuration": {
         "auth": {
@@ -37,4 +43,4 @@
             }
         }
     }
-}
+}

stix_shifter_modules/splunk/configuration/lang_en.json

@@ -20,6 +20,12 @@
         "sni": {
             "label": "Server Name Indicator",
             "description": "The Server Name Indicator (SNI) enables a separate hostname to be provided for SSL authentication"
+	},
+        "options": {
+            "index": {
+                "label": "Index Name",
+                "description": "The name of the Splunk index to be queried by this connector."
+            }
         }
     },
     "configuration": {
@@ -34,4 +40,4 @@
             }
         }
     }
-}
+}

stix_shifter_modules/splunk/stix_translation/query_constructor.py

@@ -205,6 +205,7 @@ def _test_for_earliest_latest(query_string) -> bool:
 def translate_pattern(pattern: Pattern, data_model_mapping, search_key, options):
     result_limit = options['result_limit']
     time_range = options['time_range']
+    index = options.get('index')
     x = SplunkSearchTranslator(pattern, data_model_mapping, result_limit, time_range)
     translated_query = x.translate(pattern)
     has_earliest_latest = _test_for_earliest_latest(translated_query)
@@ -220,6 +221,9 @@ def translate_pattern(pattern: Pattern, data_model_mapping, search_key, options)
         else:
             fields += field
 
+    if index:
+        translated_query = f'index={index} {translated_query}'
+
     if not has_earliest_latest:
         translated_query += ' earliest="{earliest}" | head {result_limit}'.format(earliest=time_range, result_limit=result_limit)
     elif has_earliest_latest:

stix_shifter_modules/splunk/stix_translation/query_translator.py

@@ -34,6 +34,7 @@ def transform_antlr(self, data, antlr_parsing_object):
         # append '-' as prefix and 'minutes' as suffix in time_range to convert minutes in SPL query format
         time_range = '-' + str(time_range) + 'minutes'
         translate_options['time_range'] = time_range
+        translate_options['index'] = self.options.get('index')
 
         query_string = query_constructor.translate_pattern(
             antlr_parsing_object, self, DEFAULT_SEARCH_KEYWORD, translate_options)
@@ -43,4 +44,4 @@ def map_object(self, stix_object_name):
         if stix_object_name in self.map_data and self.map_data[stix_object_name] != None:
             return self.map_data[stix_object_name]["cim_type"]
         else:
-            raise DataMappingException("Unable to map object `{}` into CIM".format(stix_object_name))
+            raise DataMappingException("Unable to map object `{}` into CIM".format(stix_object_name))

stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py

@@ -227,6 +227,13 @@ def test_custom_time_limit_and_result_count(self):
         queries = f'search ((src_ip = "192.168.122.83") OR (dest_ip = "192.168.122.83")) earliest="-25minutes" | head 5000 | fields {fields}'
         _test_query_assertions(query, queries)
 
+    def test_custom_index(self):
+        stix_pattern = "[ipv4-addr:value = '192.168.122.83']"
+        options = {"index": "my_index"}
+        query = translation.translate('splunk', 'query', '{}', stix_pattern, options)
+        queries = f'search index=my_index ((src_ip = "192.168.122.83") OR (dest_ip = "192.168.122.83")) earliest="-5minutes" | head 10000 | fields {fields}'
+        _test_query_assertions(query, queries)
+
     def test_custom_mapping(self):
         stix_pattern = "[ipv4-addr:value = '192.168.122.83' AND mac-addr:value = '00-00-5E-00-53-00']"