update databricks docs for wise/cont3xt

arkime · Nov 15, 2024 · 4f6b4e7 · 4f6b4e7
1 parent 260a203
commit 4f6b4e7
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 8 deletions.
diff --git a/_data/cont3xt/databricks.yml b/_data/cont3xt/databricks.yml
@@ -0,0 +1,44 @@
+name: "Databricks Integration"
+before: |
+  (Since 5.5.1) Cont3xt can query Databricks for results.
+
+  Create a <code>[databricks:NAME]</code> section where NAME is a unique name for all integrations
+
+settings:
+  - key: name
+    value: section name
+    text: The friendly name to show the user in the UI
+
+  - key: icon
+    value: icon for integration in UI
+    text: Path to icon to use in UI
+
+  - key: host
+    value: REQUIRED
+    text: The Databricks hostname (usually something like *******.databricks.com)
+
+  - key: token
+    value: REQUIRED
+    text: The Databricks token (usually starts with "dapi")
+
+  - key: path
+    value: REQUIRED
+    text: The Databricks path (usually something like /sql/1.0/warehouses/******)
+
+  - key: statement
+    value: REQUIRED
+    text: The query statement to run against Databricks. For non periodic queries the named parameter SEARCHTERM will be replaced with the key. (e.g. SELECT * FROM catalog.schema.table WHERE ip = SEARCHTERM)
+
+after: |
+  <p>
+    Example config that will query Databricks for all the IPs that match.
+  </p>
+  <pre>
+    [databricks:users]
+    itypes = ip
+    name = DataBricks Users
+    host = abc-123456-789.cloud.databricks.com
+    path = /sql/1.0/warehouses/abcxyz125789
+    token = THESUPERSECRETTOKEN
+    statement=SELECT * FROM catalog.schema.table WHERE ip = SEARCHTERM
+  </pre>
diff --git a/_data/wise/databricks.yml b/_data/wise/databricks.yml
@@ -16,11 +16,11 @@ settings:
 
   - key: host
     value: REQUIRED
-    text: The Databricks hostname
+    text: The Databricks hostname (usually something like *******.databricks.com)
 
   - key: token
     value: REQUIRED
-    text: The Databricks token
+    text: The Databricks token (usually starts with "dapi")
 
   - key: keyPath
     value: REQUIRED
@@ -32,11 +32,11 @@ settings:
 
   - key: path
     value: REQUIRED
-    text: The Databricks path
+    text: The Databricks path (usually something like /sql/1.0/warehouses/******)
 
   - key: query
     value: REQUIRED
-    text: The query to run against Databricks. For non periodic queries the named parameter SEARCHTERM will be replaced with the key.
+    text: The query to run against Databricks. For non periodic queries the named parameter SEARCHTERM will be replaced with the key. (e.g. SELECT * FROM catalog.schema.table WHERE ip = SEARCHTERM)
 
   - key: mergeQuery
     value: EMPTY
@@ -50,11 +50,11 @@ after: |
     [databricks:users]
     type = ip
     format = json
-    host = databricks.example.com
-    path = /sql/2.0/warehouses/vpndata
-    token = THETOKEN
+    host = abc-123456-789.cloud.databricks.com
+    path = /sql/1.0/warehouses/abcxyz125789
+    token = THESUPERSECRETTOKEN
     periodic=60
-    query=
+    query=SELECT * FROM catalog.schema.table WHERE ip = SEARCHTERM
     keyPath=vpn_ip
     fields=field:user;shortcut:user
   </pre>