PIE-67 Support user customizable indexes via macros (#12)

* prep for rebase

* remove autogen readme

* adds support for variable index use by sourcetype

* pie_67_macros Use macros to allow custom index

Before this update all the searches were configured assuming the main
index was the only option.

With this update, the searches will respect user set indexes for each
sourcetype or a single global puppet data index. See the advanced
configuration option in the Readme for more details on configuring it.

This also starts the 1.5.1 release process.

* remove metadata/local.meta from commit

Author: Chris Barker

DEVELOPING.md

@@ -29,8 +29,38 @@ For detailed report generation, a feature for Puppet Enterprise Users, there are
 
 ![Report Builder](https://raw.githubusercontent.com/puppetlabs/TA-puppet-report-viewer/master/README/img/report_builder.png)
 
-More information
+Advanced Configuration
 ----------------
+All report views support using custom indexes for storing event data. They accomplish this with a series of advanced search macros. The queries assume each sourcetype can be stored in it's own index (facts, summary reports, detailed reports, bolt events, action events, Puppet Enterprise metrics).
+
+There is one top level macro, `puppet_index` which defaults to "", if you configure the HEC to use a different index and want all Puppet in that index, change that value here to be `index=puppetindexname`.
+
+If you are using [puppetlabs/splunk_hec](https://forge.puppet.com/puppetlabs/splunk_hec/readme) version 0.5.0 or later, you can specify different HEC tokens for Summary Reports, Facts, and Metrics. Then create an index and an associated HEC token associated with those sourcetypes, and configure both the splunk_hec module in Puppet with those new values. Actions, Bolt Events, and Detailed Reports are all submitted via different tools and would need ot be changed according to use a different HEC token. Then the corresponding macro's updated to use those indexes.
+
+For example, if you want most Puppet data to go to one index, but Facts, Metrics, and Detailed Reports to go to their own indexes, one would follow these steps:
+- Create four indexes: puppet_data, puppet_facts_data, puppet_metrics_data, and puppet_detailed_data (or whatever name makes sense), each with their desired timespan, retention, etc.
+- Create four HEC's (example names):
+1. `puppet` with sourcetype of `puppet:summary` and the index `puppet_data`
+2. `puppet_facts` with sourcetype of `puppet:facts` and the index of `puppet_facts_data`
+3. `puppet_metrics` with sourcetype of `puppet:metrics` and the index of `puppet_metrics_data`
+4. `puppet_detailed` with sourcetype of `puppet:detailed` and the index of `puppet_detailed_data`
+- Configure the `splunk_hec` module with the corresponding tokens
+1. `splunk_hec::token` with the value from the `puppet` HEC (since you want all Puppet using splunk_hec plugin to go here, except for facts and metrics)
+2. `splunk_hec::token_facts` with the value from the `puppet_facts` HEC
+3. `splunk_hec::token_metrics` with the value from the `puppet_metrics` HEC
+- Update the Puppet Report Viewer's configuration to use the `puppet_detailed` HEC token, because detailed reports are pulled from Puppet and generated by the alert action in this application
+- Update the advanced search macros to use the new values:
+1. Open Advanced Search under the Settings -> Knowledge menu
+2. Select `Search Macros`
+3. Select `puppet_index` and change the definition to `index=puppet_data`, click save
+4. Select `puppet_facts_index` and change the definition to `index=puppet_facts_data`, click save
+5. Select `puppet_metrics_index` and change the definition to `index=puppet_metrics_data`, click save
+6. Select `puppet_detailed_index` and change the definition to `index=puppet_detailed_data`, click save
+- Reload the main view of the Puppet Report Viewer app, and you should see data, or perform the following search:
+``` 
+`puppet_all_index` sourcetype=puppet:*
+```
+
 
 More information
 ----------------

README.md

@@ -10,7 +10,7 @@ In order to load this module properly into the Splunk Add-On builder for develop
 
 ```
 $ git checkout -b 'my working branch'
-$ tar -C .. --exclude=".git" --exclude="tmpdir" -czvf tmpdir/TA-puppet-report-viewer.tar.gz TA-puppet-report-viewer
+$ COPYFILE_DISABLE=1 tar -C .. --exclude=".git" --exclude="local/" --exclude="metadata/local.meta" --exclude="tmpdir" -czvf tmpdir/TA-puppet-report-viewer.tar.gz TA-puppet-report-viewer
 ```
 
 To add your finished work back to the repo:
@@ -22,7 +22,7 @@ To add your finished work back to the repo:
 
 ```
 $ cd tmpdir
-$ tar xzvf TA-puppet-tasks-actionable_2_0_1_export.tgz
+$ tar xzvf TA-puppet-report-viewer_2_0_1_export.tgz
 $ cd ..
-$ rsync -vr tmpdir/TA-puppet-tasks-actionable_2_0_1_export/* ./
+$ rsync -vr tmpdir/TA-puppet-report-viewer_2_0_1_export/* ./
 ```

README.txt

@@ -0,0 +1,13 @@
+Puppet Report Viewer Publishing Guide
+==============
+
+This documents how this plugin is published.
+
+- Finalize testing
+- Bundle this app up using the export options in the developing.md guide
+- Import tar.gz into Splunk AddOn Builder for final validation preflight check
+- Complete and fix validation steps if needed
+- Make needed changes, tag build with final release number and publish a release in GitHub adding notes from releasenotes.md
+- Rename file name to be .spl instead of .tar.gz
+- Import .spl version to Splunk to verify that package installs properly
+- Upload .spl to Splunkbase

README/DEVELOPING.md

@@ -0,0 +1,16 @@
+Release Notes
+==============
+
+1.5.1:
+New Features:
+- Full dashboard updates
+- Support for Facts sourcetype (puppet:facts), and dashboards to use it
+- Introduces "Report Builder" page to help a user build reports and then craft custom search from the iterface to use for alerts or their own uses
+- Introduces Advanced Search macros to allow for customized indexs without requiring to modify the app. See Advanced Configuration section of the readme
+- Add's sourcetypes of puppet:action, puppet:metrics, for future use
+- Example Alert added, the search to generate a detailed report for any summary report that isn't "unchanged" has been added to the app, but set as disabled
+
+Fixes:
+- Duplicate item entry fixed, sourcetype's are now configured to extract KV from json only once
+- [Updated documentation](https://github.com/puppetlabs/ta-puppet-report-viewer)
+

README/publishing.md

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "TA-puppet-report-viewer",
-      "version": "1.4.0"
+      "version": "1.5.1"
     },
     "author": [
       {

README/releasenotes.md

@@ -7,7 +7,7 @@ build = 3
 
 [launcher]
 author = Puppet, Inc.
-version = 1.4.0
+version = 1.5.1
 
 [ui]
 is_visible = 1

TA-puppet-report-viewer.aob_meta

@@ -13,7 +13,7 @@
       <fieldForLabel>os.family</fieldForLabel>
       <fieldForValue>os.family</fieldForValue>
       <search>
-        <query>sourcetype="puppet:facts"
+        <query>`puppet_facts_index` sourcetype="puppet:facts"
 | top os.family limit=100</query>
         <earliest>$reportTimeRange.earliest$</earliest>
         <latest>$reportTimeRange.latest$</latest>
@@ -24,7 +24,7 @@
       <fieldForLabel>environment</fieldForLabel>
       <fieldForValue>environment</fieldForValue>
       <search>
-        <query>sourcetype="puppet:facts"
+        <query>`puppet_facts_index` sourcetype="puppet:facts"
 | top environment limit=100</query>
         <earliest>$reportTimeRange.earliest$</earliest>
         <latest>$reportTimeRange.latest$</latest>
@@ -35,7 +35,7 @@
       <fieldForLabel>networking.domain</fieldForLabel>
       <fieldForValue>networking.domain</fieldForValue>
       <search>
-        <query>sourcetype="puppet:facts"
+        <query>`puppet_facts_index` sourcetype="puppet:facts"
 | top networking.domain limit=100</query>
         <earliest>$reportTimeRange.earliest$</earliest>
         <latest>$reportTimeRange.latest$</latest>
@@ -46,7 +46,7 @@
     <panel>
       <table>
         <search>
-          <query>sourcetype="puppet:summary"
+          <query>`puppet_summary_index` sourcetype="puppet:summary"
 | eval "certname"=mvdedup('certname'),"run_time"=mvdedup('metrics.time.total')
 | eval strf_time=strftime(_time, "%Y-%m-%d %T %:z")
 | eval run_time_rnd=round(run_time,1)