topic Re: How to use python library in Splunk? in Splunk Dev

How to use python library in Splunk?

packet_hunter — Thu, 11 Feb 2016 16:39:05 GMT

I know there is documentation, however, can someone give a simple example (with steps) for installing/using a python module from the native python library in Splunk? If it is not native please example how to install it into SPL v 6.2.3

Any explanation how to get started with python in Splunk is appreciated.

Thank you

Re: How to use python library in Splunk?

richgalloway — Thu, 11 Feb 2016 17:14:28 GMT

Python is built-in to Splunk so no installation is required. What do you want to do with Python? Are you creating a scripted input or something else?

Re: How to use python library in Splunk?

packet_hunter — Thu, 11 Feb 2016 18:28:56 GMT

Scenario: I need to look at all incoming email domains (e.g. sender@domain.tld) and compare them to a white list of domains to see if the new arrivals are typo-squatting, fuzzing, etc. (e.g. sender@domaininc.tld). I am not looking for exact matches but permutations of the white list.

I have tried "cluster" but it slows the search to a crawl. Therefore I was thinking of using some python scripts to do some of the heavy lifting (comparing). Maybe I am off track...

If you have any suggestions please let me know.

Of course, I am also interested in using python for other SPL enhancements as well.

Thank you

Re: How to use python library in Splunk?

richgalloway — Thu, 11 Feb 2016 18:43:41 GMT

Generally speaking, you write a Python script that performs the needed functions and place it in your app's 'bin' directory. The script is then invoked either by a custom search command. See http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Aboutcustomsearchcommands.

Re: How to use python library in Splunk?

packet_hunter — Thu, 11 Feb 2016 18:54:52 GMT

That makes sense. Thank you

Re: How to use python library in Splunk?

packet_hunter — Thu, 18 Feb 2016 21:14:45 GMT

Hi Rich, I don't have an option to accept your answer. If your comment an answer then I will accept it. Thanks

Re: How to use python library in Splunk?

joelurtubia — Tue, 29 Sep 2020 16:36:49 GMT

Hello, I was the same problem with Mysql module that I was install on my Centos server

Splunk didn't work with this library, because splunk has they own python library...then you can fix it only added on the begin your script all libraries of python and also you must to add the python Centos library too... as this way

Find python packages

[root@xxxx]#find / -name site-packages
/usr/lib/python2.7/site-packages
/usr/lib64/python2.7/site-packages
/opt/splunk/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages
/opt/splunk/lib/python2.7/site-packages

Find python binary

[root@xxxx]# whereis python
python: /usr/bin/python2.7 /usr/bin/python /usr/lib/python2.7 /usr/lib64/python2.7 /etc/python /usr/include/python2.7 /opt/splunk/bin/python /opt/splunk/bin/python2.7 /usr/share/man/man1/python.1.gz

include all at begin your script

import sys
sys.path.append('/usr/bin/python2.7')
sys.path.append('/usr/lib/python2.7/site-packages')
sys.path.append('/usr/lib64/python2.7/site-packages')

And that's it , you can run mysql module without any problem and create your alerts with this module.

Mysql Connection

import mysql.connector

I hope that this fix will help you
Joel Urtubia Ugarte