Merge pull request #345 from splunk/fix/cisco-asa

Cisco ASA conflict with Cisco IOS
CSVD · Mar 12, 2020 · 6e7f28b · 6e7f28b
2 parents a4eee4c + 7a5d611
commit 6e7f28b
Show file tree

Hide file tree

Showing 7 changed files with 114 additions and 102 deletions.
diff --git a/package/etc/conf.d/conflib/_common/syslog_format.conf b/package/etc/conf.d/conflib/_common/syslog_format.conf
@@ -34,12 +34,6 @@ rewrite set_rfc3164{
 filter f_is_rfc3164{
     match("rfc3164" value("fields.sc4s_syslog_format"))
 };
-rewrite set_cisco_ios{
-    set("cisco_ios" value("fields.sc4s_syslog_format"));
-};
-filter f_is_cisco_ios{
-    match("cisco_ios" value("fields.sc4s_syslog_format"))
-};
 rewrite set_no_parse{
     set("no_parse" value("fields.sc4s_syslog_format"));
 };

diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
@@ -0,0 +1,62 @@
+filter f_cisco_syslog{
+    match("cisco_syslog", value("fields.sc4s_vendor_product") type(glob));
+};
+rewrite set_cisco_syslog{
+    set("cisco_syslog" value("fields.sc4s_syslog_format"));
+};
+filter f_is_cisco_syslog{
+    match("cisco_syslog" value("fields.sc4s_syslog_format"))
+};
+
+parser cisco-parser-ex{
+    channel {
+        filter {
+            #message('^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Z]{3,3})?)?( \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} )?: ((\%[^\: ]+)\:? ?.*)' flags(store-matches));
+            message('^^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Z]{3,3})?)? ?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))? ?: ((\%[^\: ]+)\:? ?.*)' flags(store-matches));
+        };        
+        if {
+            #Mar  4 11:45:20
+            #Apr 29 13:58:46.000001
+            #Apr 29 13:58:46.411
+            #Mar  1 18:48:50.483 UTC NOTE: Reverse TZ "%Z" parsing will not work for non-local timezones.
+            # guess-timezone() will be used to reconcile timezones
+            parser {
+                    date-parser(format(
+                                    '%b %d %H:%M:%S.%f',
+                                    '%b %d %H:%M:%S',
+                                    '%b %d %I:%M:%S %p.%f',
+                                    '%b %d %I:%M:%S %p',
+                                    '%b %d %Y %H:%M:%S.%f'
+                                    '%b %d %Y %H:%M:%S',
+                                    )
+                template("$8")
+                flags(guess-timezone)
+                );
+            };
+        } else {
+#           rewrite { set("date/time parser failed", value("fields.sc4s_error")); };
+            rewrite { set("date/time parser failed on string $8" value("fields.sc4s_error")); };
+        };
+        rewrite {
+            set(
+                "${4}",
+                value("HOST")                
+                condition(match('..' value('4')))
+            );            
+            set(
+                "${13}",
+                value("HOST")                
+                condition(match('..' value('13')))
+            );                        
+            set(        
+                "${15}",
+                value("PROGRAM")                
+            );                        
+            set(
+                "${14}",
+                value("MESSAGE")                
+            );
+        };
+
+    };
+};
diff --git a/package/etc/conf.d/filters/cisco/ios.conf b/package/etc/conf.d/filters/cisco/ios.conf
@@ -1,54 +1,3 @@
 # In general this will not be used; parser setting will override the need for this
 
-filter f_cisco_ios{
-    match("cisco_ios", value("fields.sc4s_vendor_product") type(glob));
-};
 
-
-parser cisco-parser-ex{
-    channel {
-        filter {
-            #message('^<\d*>(?:(?<ciscoseq>\d+)\: )?(?:(?<HOST>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(?<ciscorule>\d+): )?(?:(?<ciscotimereliable>\*)?(?<ciscotime>(?<time>\w\w\w {1,2}\d{1,2} \d\d:\d\d:\d\d)(?<ciscofrac>\.\d{3,6})? ?(?<ciscotz>\w+)?): )?(?:(?<ciscouptime>\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(?<cisomsg>(?<ciscoprogram>%.{2,15}\-\d{1,3}\-[^:]{3,}): (?<ciscodescription>.*))' flags(store-matches));            
-            message('^<\d*>(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( \w+)?: )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(%.{2,15}\-\d{1,3}\-[^:]+): (.*)' flags(store-matches));
-        };        
-        if {
-            #Mar  4 11:45:20
-            #Apr 29 13:58:46.000001
-            #Apr 29 13:58:46.411
-            #Mar  1 18:48:50.483 UTC NOTE: Reverse TZ "%Z" parsing will not work for non-local timezones.
-            # guess-timezone() will be used to reconcile timezones
-            parser {
-                    date-parser(format(
-                                    '%b %d %H:%M:%S.%f',
-                                    '%b %d %H:%M:%S',
-                                    '%b %d %I:%M:%S %p.%f',
-                                    '%b %d %I:%M:%S %p',
-                                    '%b %d %Y %H:%M:%S.%f'
-                                    '%b %d %Y %H:%M:%S',
-                                    )
-                template("$7")
-                flags(guess-timezone)
-                );
-            };
-        } else {
-#           rewrite { set("date/time parser failed", value("fields.sc4s_error")); };
-            rewrite { set("date/time parser failed on string $7" value("fields.sc4s_error")); };
-        };
-        rewrite {
-            set(
-                "$4",
-                value("HOST")                
-                condition(match('..' value('4')))
-            );            
-            set(        
-                "$11",
-                value("PROGRAM")                
-            );            
-            set(
-                "$12",
-                value("MSG")                
-            );
-        };
-
-    };
-};
diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
@@ -1,6 +1,6 @@
 # Cisco ASA
 {{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "rfc3164" }}
+{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "cisco_parser" }}
 {{- tmpl.Exec "t/source_network.t" $context }}
 
 log {
@@ -15,7 +15,7 @@ log {
         channel {
         # Listen on the default port (typically 514) for CISCO_ASA_LEGACY traffic
             source (s_DEFAULT);
-            filter(f_is_rfc3164);
+            filter(f_is_cisco_syslog);
             filter(f_cisco_asa);
             flags(final);
         };

diff --git a/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl
@@ -15,7 +15,7 @@ log {
         channel {
         # Listen on the default port (typically 514) for CISCO_IOS traffic
             source (s_DEFAULT);
-            filter(f_is_cisco_ios);
+            filter(f_is_cisco_syslog);
             flags(final);
         };
     };
@@ -27,7 +27,7 @@ log {
     };
     parser { p_add_context_splunk(key("cisco_ios")); };
     parser (compliance_meta_by_source);
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_program_msg))" value("MSG")); };
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_IOS_HEC" "no")) }}
     destination(d_hec);

diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t
@@ -84,7 +84,7 @@ source s_{{ .port_id }} {
         rewrite(set_rfc5424_noversion);
 {{ else if eq .parser "cisco_parser" }}
         parser (cisco-parser-ex);
-        rewrite(set_cisco_ios);
+        rewrite(set_cisco_syslog);
 {{ else if eq .parser "cisco_meraki_parser" }}
         parser (p_cisco_meraki);
         rewrite(set_rfc5424_epochtime);
@@ -129,7 +129,7 @@ source s_{{ .port_id }} {
             rewrite(set_rfc5424_epochtime);
         } elif {
             parser(cisco-parser-ex);
-            rewrite(set_cisco_ios);
+            rewrite(set_cisco_syslog);
         } elif {
             filter(f_cisco_ucm_message);
             parser (p_cisco_ucm_date);

diff --git a/tests/test_cisco_ios.py b/tests/test_cisco_ios.py
@@ -13,43 +13,45 @@
 import pytest
 env = Environment()
 
-#30: foo: 6340004: *Mar  4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
-#30: foo: *Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
-#30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
-#foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
-#30: foo: 6340004: Mar  4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
-#30: foo: Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
-#30: foo: Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
-#foo: Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
-#foo: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the 
-#00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the 
-#foo: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.
-#101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.
-#*Mar  1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
+
+# 30: foo: 6340004: *Mar  4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
+# 30: foo: *Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
+# 30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
+# foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
+# 30: foo: 6340004: Mar  4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
+# 30: foo: Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
+# 30: foo: Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
+# foo: Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
+# foo: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the
+# 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the
+# foo: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.
+# 101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.
+# *Mar  1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
 
 testdata = [
-        "{{ mark }}{{ seq }}: {{ host }}: 6340004: *{{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
-        "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated {{ bsd }}.{{ millisec }}",
-        "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
-        "{{ mark }}{{ host }}: *{{ bsd }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.",
-        "{{ mark }}{{ seq }}: {{ host }}: 6340004: {{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
-        "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
-        "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ millisec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
-        "{{ mark }}{{ host }}: {{ bsd }}.{{ millisec }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure. {{ bsd }}.{{ millisec }}",
-        "{{ mark }}*{{ bsd }}.{{ millisec }} {{ tzname }}: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) {{ host }}"
-    ]
+    "{{ mark }}{{ seq }}: {{ host }}: 6340004: *{{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
+    "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated {{ bsd }}.{{ millisec }}",
+    "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
+    "{{ mark }}{{ host }}: *{{ bsd }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.",
+    "{{ mark }}{{ seq }}: {{ host }}: 6340004: {{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
+    "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
+    "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ millisec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
+    "{{ mark }}{{ host }}: {{ bsd }}.{{ millisec }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure. {{ bsd }}.{{ millisec }}",
+    "{{ mark }}*{{ bsd }}.{{ millisec }} {{ tzname }}: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) {{ host }}"
+]
 
 testdata_uptime = [
-        "{{ mark }}{{ host }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the ",
-        "{{ mark }}00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the {{ host }}",
-        "{{ mark }}{{ host }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the ",
-        "{{ mark }}{{ seq }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the {{ host }}",
-        "{{ mark }}{{ seq }}: {{ host }}: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.",
-        "{{ mark }}101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure. {{ host }}"
-    ]
+    "{{ mark }}{{ host }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the ",
+    "{{ mark }}00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the {{ host }}",
+    "{{ mark }}{{ host }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the ",
+    "{{ mark }}{{ seq }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the {{ host }}",
+    "{{ mark }}{{ seq }}: {{ host }}: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.",
+    "{{ mark }}101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure. {{ host }}"
+]
+
 
 @pytest.mark.parametrize("event", testdata)
-def test_cisco_ios(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event):
+def test_cisco_ios(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event):
     host = get_host_key
 
     dt = datetime.datetime.now()
@@ -62,12 +64,15 @@ def test_cisco_ios(record_property, setup_wordlist, get_host_key, setup_splunk,
     microsec = iso[20:26]
 
     mt = env.from_string(event + "\n")
-    message = mt.render(mark="<166>", seq=20, bsd=bsd, time=time, millisec=millisec, microsec=microsec, tzname=tzname, host=host)
+    message = mt.render(mark="<166>", seq=20, bsd=bsd, time=time,
+                        millisec=millisec, microsec=microsec, tzname=tzname, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search index=netops (_time={{ epoch }} OR _time={{ epoch }}.{{ millisec }} OR _time={{ epoch }}.{{ microsec }}) sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\")")
-    search = st.render(epoch=epoch, millisec=millisec, microsec=microsec, host=host)
+    st = env.from_string(
+        "search index=netops (_time={{ epoch }} OR _time={{ epoch }}.{{ millisec }} OR _time={{ epoch }}.{{ microsec }}) sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\")")
+    search = st.render(epoch=epoch, millisec=millisec,
+                       microsec=microsec, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -77,20 +82,22 @@ def test_cisco_ios(record_property, setup_wordlist, get_host_key, setup_splunk,
 
     assert resultCount == 1
 
+
 @pytest.mark.parametrize("event", testdata_uptime)
-def test_cisco_ios_uptime(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event):
+def test_cisco_ios_uptime(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event):
     host = get_host_key
- 
+
     mt = env.from_string(event + "\n")
     message = mt.render(mark="<166>", seq=20, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search index=netops earliest=-1m@m latest=+1m@m sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\")")
+    st = env.from_string(
+        "search index=netops earliest=-1m@m latest=+1m@m sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\")")
     search = st.render(host=host)
- 
+
     resultCount, eventCount = splunk_single(setup_splunk, search)
- 
+
     record_property("host", host)
     record_property("resultCount", resultCount)
     record_property("message", message)