#
# Splunk python script for double-urldecoding endpoint logs.
#
# This script should be defined in commands.conf as:
#
#   [decode]
#   filename = decode.py
#   streaming = true
#   enableheader = false
#
# Usage: <some search> | decode <options>
#          -- or maybe more efficient --
#        <some search> | fields - _cd,_meta,_serial,_si,_sourcetype,_time | fields + _raw,host,source | decode <options>
#
#   <options>
#     index=[indexname] - which index to target for results, if empty defaults to the main index
#     testmode=[true|false] - when true, writes file to var/run/splunk instead of var/spool/splunk
#     pathappend=[name] - name to append to output file, format is <time>_<random>_<name>.log, the
#                         default is <time>_<random>_decoded.log.
#
# For testing use the search:
#
# index=encoded | decode index=decoded testmode=true
#

import csv, os, random, string, sys, time, urllib

# initialize input variables
index = ''
pathappend = 'decoded'
testmode = False

if len(sys.argv) >1:
  for a in sys.argv:
    if a.startswith("index="):
      where = a.find('=')
      index = a[where+1:len(a)]
    elif a.startswith("testmode="):
      where = a.find('=')
      testmode = a[where+1:len(a)].lower().startswith('t')
    elif a.startswith("pathappend="):
      where = a.find('=')
      pathappend = a[where+1:len(a)]

# create iterator with all events passed into the script
results = csv.DictReader(sys.stdin)

# initialize the output writer and file header
splunkhome = os.environ["SPLUNK_HOME"] + '/'
outputfolder = 'var/spool/splunk/'
if testmode:
  outputfolder = 'var/run/splunk/'
outputfile = splunkhome + outputfolder + str(int(time.time())) + '_' + \
             str(random.randint(999999999,10000000000)) + '_' + pathappend + '.log'
resultsDecoded = open(outputfile,'w')
if (index != ''):
  resultsDecoded.write('***SPLUNK*** index=' + index)

# run it!
for r in results:

  # 1st: Partition the event into a list of key=value pairs.
  # 2nd: Put the key=value pairs into a dictionary
  raw = str(r['_raw'])
  d = dict(  [ (i[0],i[2])  for i in  [j.partition("=") for j in raw.split()[4:]] ]  )

  # 3rd: Decode the body, for each line in the body, append the k=v
  #      pairs from steps 1 and 2, and output as separate events.
  body = urllib.unquote(urllib.unquote(d.get("body","")))
  for b in body.split('T='):
    if ( b!='' and b!='"]' and b!='\']' ):
      newEvent = "A=%s B=%s C=%s" % (d.get("A",""), d.get("B",""), d.get("C",""), b, r['host'], r['source'])
      resultsDecoded.write('\n' + newEvent)

resultsDecoded.close()
sys.exit(0)