splunk · mkolasinski-splunk · Jun 20, 2025 · Jun 24, 2025 · Jul 8, 2025 · Jul 10, 2025
@@ -148,6 +148,8 @@ jobs:
           "splunk_app_req",
           "splunk_app_req_broken",
           "splunk_cim_model",
+          "splunk_app_fiction_with_uuid",
+          "splunk_app_req_with_uuid",
         ]
     steps:
       - uses: actions/checkout@v4

@@ -1,6 +0,0 @@
-[submodule "deps/build/addonfactory_test_matrix_splunk"]
-	path = deps/build/addonfactory_test_matrix_splunk
-	url = https://github.com/splunk/addonfactory_test_matrix_splunk.git
-[submodule "deps/apps/Splunk_SA_CIM"]
-	path = deps/apps/Splunk_SA_CIM
-	url = [email protected]:splunk/addonfactory-splunk_sa_cim.git

@@ -0,0 +1,10 @@
+ReadMe
+Splunk Common Information Model 4.20.0
+
+Copyright (C) 2005-2018 Splunk Inc. All rights reserved.
+
+* For the Release Notes, What's New, and Getting Started documentation for this 
+release see: 
+     http://docs.splunk.com/Documentation/CIM/
+
+
@@ -0,0 +1,28 @@
+
+[my_action]
+
+...
+
+param._cam = {\
+    "category":   	   ["Information Gathering"],\
+    "task":       	   ["create"],\
+    "subject":         ["network.capture"],\
+    "technology":      [{"vendor": "Splunk", "product": "Splunk App for Stream"}],\
+    "supports_adhoc":  true,\
+    "drilldown_uri":   "my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"\
+}
+
+
+[my_action2]
+
+...
+
+param._cam = {\
+    "category":   	     ["Information Gathering"],\
+    "task":       	     ["scan"],\
+    "subject":           ["process.reputation-service"],\
+    "technology":        [{"vendor": "myvendor", "product": "myproduct", "version": "1.0"}],\
+    "supports_adhoc":    true,\
+    "drilldown_uri":     "../my_app/my_view?form.orig_sid=$sid$&form.orig_rid=$rid$",\
+    "field_name_params": ["param.host_field"]\
+}
@@ -0,0 +1,98 @@
+
+param._cam = <json>
+    * Json specification for classifying response actions.
+    * See Appendix A.
+    * Optional.
+    * Defaults to None.
+
+param._cam_workers = <json>
+    * Json specification for defining remote workers.
+    * See Appendix B.
+    * Optional.
+    * Defaults to None.
+
+
+###### Appendix A: Common Action Model Specification #######
+## category:          The category or categories the modular action belongs to.
+##                    Required.
+##                    For instance, "Information Gathering".
+##                    See cam_categories.csv for recommended values.
+## task:              The function or functions performed by the modular action.
+##                    Required.
+##                    For instance, "create".
+##                    See cam_tasks.csv for recommended values.
+## subject:           The object or objects that the modular action's task(s)
+##                    can be performed on (i.e. "endpoint.file").
+##                    Required.
+##                    See cam_subjects.csv for recommended values.
+## technology:        The technology or technologies that the modular action supports.
+##                    Required.
+##                    vendor:  The vendor of the technology.
+##                        Required.
+##                        For instance, "Splunk".
+##                    product: The product of the technology.
+##                        Required.
+##                        For instance, "Enterprise".
+##                    version: The version or versions of the technology.
+##                        Optional.
+##                        For instance, "6.4".
+## drilldown_uri:     Specifies a custom target for viewing the events
+##                    outputted as a result of the action.
+##                    Custom target can specify app and/or view depending on syntax.
+##                    Optional.
+##                    For instance, "my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"
+##                    For instance, "../my_app/my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"
+## field_name_params: The param or params which represent the name of a result field.
+##                    Optional.
+##                    For instance, ["param.search_field"] indicates that the value of "param.search_field"
+##                    should be present as a field in the result or results being operated on.
+## required_params:   Parameter(s) required for successful action execution. 
+##                    Indicated by "*" in the custom alert action user interface. 
+##                    For instance, ["param.search_field"] indicates that "param.search_field"
+##                    should be specified when submitting the action on the custom alert action
+##                    user interface.
+##                    Optional.
+## supports_adhoc:    Specifies if the modular action supports adhoc invocations.
+##                    Optional.
+##                    Defaults to False.
+## supports_cloud:    Specifies if the modular actions supports the "cloud" model.
+##                    For instance, does the action function properly when the search head does not have access
+##                    to the local network.
+##                    Optional.
+##                    Defaults to True.
+## supports_workers:  Specifies if the modular actions supports remote workers.
+##                    supports_workers==True implies supports_cloud==True
+##                    Optional.
+##                    Defaults to False.
+#{
+#    "category":          ["<category>", ..., "<category">],
+#    "task":              ["<task>", ..., "<task>"],
+#    "subject":           ["<subject>", ..., "<subject>"],
+#    "technology":        [{ "vendor":  "<vendor>",
+#                            "product": "<product>",
+#                            "version": ["<version>", ..., "<version>"]
+#                          },
+#                          ...,
+#                          { "vendor":  "<vendor>",
+#                            "product": "<product>",
+#                            "version": ["<version>", ..., "<version>"]
+#                          }
+#                         ],
+#    "drilldown_uri":     "<uri>",
+#    "field_name_params": ["<param.param1>", ..., "<param.paramN>"],
+#    "required_params":   ["<param.param1>", ..., "<param.paramN>"]
+#    "supports_adhoc":    true | false,
+#    "supports_cloud":    true | false,
+#    "supports_workers":  true | false
+#}
+
+
+###### Appendix B: Common Action Model Remote Workers Specification #######
+## List of Splunk "serverName" values as advertised by /server/info
+##
+## Special "serverName" values:
+##    * "local" - action script will continue doing work locally in addition to
+##                queueing work for additional workers (if specified).
+##                
+##
+## [ "local"?, "worker1", "worker2", ..., "workern" ]
@@ -0,0 +1,9 @@
+
+[<STANZA_NAME>]
+python.version = {default|python|python2|python3}
+* Optional setting. Requires 8.0+
+* For Python scripts only, selects which Python version to use.
+* Set to either "default" or "python" to use the system-wide default Python
+  version.
+* Optional.
+* Default: Not set; uses the system-wide Python version.
@@ -0,0 +1,6 @@
+[relaymodaction://master]
+uri = https://master:8089
+description = splunk cloud search head
+username = username
+verify = True
+client_cert = client_cert.pem
@@ -0,0 +1,29 @@
+
+python.version = {default|python|python2|python3}
+* Optional setting. Requires 8.0+
+* For Python scripts only, selects which Python version to use.
+* Set to either "default" or "python" to use the system-wide default Python
+  version.
+* Optional.
+* Default: Not set; uses the system-wide Python version.
+
+[relaymodaction://<name>]
+uri = <string>
+* Remote splunk instance management URI.
+* Format should be protocol://host:port
+
+description = <string>
+* Description for the remote Splunk instance.
+
+username = <string>
+* Label pertaining to the API key stored in secure storage, must be unique.
+* Realm is "cam_queue".
+
+verify = <string>
+* Specifies if SSL verification is needed between worker and remote search head.
+* Defaults to True
+
+client_cert = <string>
+* Filename of client certificate.
+* Specify when SSL verification is needed, leave empty otherwise.
+* Certificate should be put in $splunk_home/etc/apps/Splunk_SA_CIM/auth
@@ -0,0 +1,9 @@
+
+[script:<uniqueName>]
+python.version={default|python|python2|python3}
+* Optional setting. Requires 8.0+
+* For Python scripts only, selects which Python version to use.
+* Set to either "default" or "python" to use the system-wide default Python
+  version.
+* Optional.
+* Default: Not set; uses the system-wide Python version.
@@ -0,0 +1,11 @@
+[<unique_transform_stanza_name>]
+reverse_lookup_honor_case_sensitive_match = {default|true|false}
+* Optional setting.
+* This setting does not apply to KV Store lookups.
+* Default: true
+* When set to true, and case_sensitive_match is true Splunk software performs case-sensitive matching for
+  all fields in a reverse lookup.
+* When set to true, and case_sensitive_match is false Splunk software performs case-insensitive matching for
+  all fields in a reverse lookup.
+* When set to false, Splunk software performs case-insensitive matching for
+  all fields in a reverse lookup.