From 9dc728bc333187c6210b5ced0895dabd69665820 Mon Sep 17 00:00:00 2001
From: Mathieu LE CLEACH <mathieu.lecleach@cert.europa.eu>
Date: Mon, 5 Aug 2024 16:58:23 +0200
Subject: [PATCH] add: alert expiration option in Splunk

---
 src/droid/platforms/splunk.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/droid/platforms/splunk.py b/src/droid/platforms/splunk.py
index 9e15525..9c1aff6 100644
--- a/src/droid/platforms/splunk.py
+++ b/src/droid/platforms/splunk.py
@@ -57,6 +57,7 @@ def __init__(self, parameters: dict, debug: bool, json: bool) -> None:
         self._app = self._parameters['app']
         self._job_ttl = self._parameters['job_ttl']
         self._acl_update_owner = self._parameters['acl_update_owner']
+        self._alert_expiration = self._parameters['alert_expiration']
         self._acl_update_perms_read = self._parameters['acl_update_perms_read']
 
         if 'suppress_fields_groups' in self._parameters['savedsearch_parameters']:
@@ -193,7 +194,7 @@ def create_search(self, rule_content: dict, rule_converted: str, rule_file: str)
         earliest_time = self._earliest_time
         latest_time = self._latest_time
         cron_schedule = self._cron_schedule
-
+        alert_expiration = self._alert_expiration
         alert_name = rule_content["title"]
         alert_description = rule_content["description"]
 
@@ -213,6 +214,7 @@ def create_search(self, rule_content: dict, rule_converted: str, rule_file: str)
             "dispatch.latest_time": latest_time,
             "is_scheduled": True,
             "disabled": False,
+            "alert.expires": alert_expiration,
             "is_visible": True
         }
         # Add actions to alert_config from droid_config.toml