-
Notifications
You must be signed in to change notification settings - Fork 1
/
splunkFormat.py
97 lines (81 loc) · 2.86 KB
/
splunkFormat.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
import sublime
import sublime_plugin
import re
class SplunkFormatCommand(sublime_plugin.TextCommand):
def formatSplunkSearch(self, search):
origString = search
workingString = origString[:]
# Strip whitespace
workingString = workingString.strip()
# Replace Strings with placeholder
# Regex from http://www.bbosearch.com/pretty
stgs = re.findall(r'\"[^\"\\]*(?:\\.[^\"\\]*)*\"', workingString)
workingString = re.sub(r'\"[^\"\\]*(?:\\.[^\"\\]*)*\"', 'STRINGSTRINGSTRINGYSTRING', workingString)
def findSubsearches(inString):
# Pull out subsearches
capturing = False
count = 0
start = 0
r = []
for i, c in enumerate(inString):
if c == ']':
if not capturing:
raise "Everything is broken! You can't start with a ]!"
if count > 0:
count -= 1
else:
end = i
capturing = False
r.append(inString[start:end + 1])
if c == '[':
if capturing:
count += 1
else:
start = i
count = 0
capturing = True
return r
def formatSubSearches(subsearches, level=1):
# [|inputlookup cis_mappings.csv | [ do a things] eval check_id = STRINGSTRINGSTRINGYSTRING + check_id | table check_id nova_profile]
r = []
for x in subsearches:
moarSubSearchs = findSubsearches(x.strip("[]"))
if moarSubSearchs:
for y in moarSubSearchs:
x = x.replace(y, 'SUBSEARCHFTW%s' % level)
moarSubSearchs = formatSubSearches(moarSubSearchs, level=level + 1)
for y in moarSubSearchs:
x = x.replace("SUBSEARCHFTW%s" % level, y, 1)
x = re.sub(r"^\s*\[[\s\n]*", r"[\n" + " " * level * 4, x)
x = re.sub(r"(?<!E)(?:\s+?)?\|", r"\n" + " " * level * 4 + "|", x)
x = re.sub(r"(\s+)?\]$", r" ]", x)
if level > 1:
x = re.sub(r" \n*", "SPCE", x)
r.append(x)
if level == 1:
for i, x in enumerate(r):
r[i] = re.sub(r"SPCE", " ", x)
return r
subsearches = findSubsearches(workingString)
for x in subsearches:
workingString = workingString.replace(x, 'SUBSEARCHFTW')
workingString = re.sub(r'\s+', r' ', workingString)
workingString = re.sub(r'(?<!^)\s?\|', r'\n|', workingString)
subsearches = formatSubSearches(subsearches)
# Gotta put the subsearches back in.
for x in subsearches:
workingString = workingString.replace('SUBSEARCHFTW', x, 1)
for x in stgs:
workingString = workingString.replace('STRINGSTRINGSTRINGYSTRING', x, 1)
workingString = re.sub(r"\|([^ ])", r"| \1", workingString)
return workingString
def run(self, edit, area_to_format='selection'):
if area_to_format == 'selection':
for region in self.view.sel():
if not region.empty():
s = self.view.substr(region)
self.view.replace(edit, region, self.formatSplunkSearch(s))
elif area_to_format == 'view':
view = sublime.Region(0, self.view.size())
s = self.view.substr(view)
self.view.replace(edit, view, self.formatSplunkSearch(s))