topic Re: creating splunk search in python script in Splunk Dev

creating splunk search in python script

thambisetty — Tue, 29 Sep 2020 16:57:49 GMT

Hi Splunk,

I am trying to create splunk search in my python script where the script is being used to create HPSM ticket.

I have created HPSM action and added to correlation search adaptive response action and this executes python script and I need to find event_id for orig_sid (sid from splunk statndard input) before creating ticket and need to add event_id in request to create HPSM ticket. using this I have created method in the same script to run search to get event id for the same sid. search is returning void. if I run method in different python script its working fine.

Here is my method which will create search in splunk(used both create and export)

def run_search(sid):
logger.debug("Entered with sid '%s'",sid)
#sid='scheduler_s785863SplunkEnterpriseSecuritySuite_RMD53eff93817270d051_at_1511794860_96'
sid=sid
#kwargs_export = {"earliest_time": "-24h","latest_time": "now","search_mode": "normal","output_mode":"json"}
searchquery_export = "search `notable`| search orig_sid=" + sid + " | table event_id"
logger.debug("Search Query '%s'",searchquery_export)
service = client.connect(username="splunk", password="********")
logger.debug("Service connect %s",service)
#time.sleep(60)
#exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export)
job = service.jobs.create(searchquery_export,{"exec_mode": "blocking"})
logger.debug("Inner job SID '%s'", job)
result_stream = job.results()
reader = results.ResultsReader(result_stream)
for item in reader:
logger.debug("Inner job Results '%s'", item)
#query_results = exportsearch_results.read()
#logger.debug("Notable Result '%s'", query_results )
#return query_results
If I use static sid , its working .

Please help me out.
Thanks in advance.

Re: creating splunk search in python script

hardikJsheth — Tue, 28 Nov 2017 06:43:50 GMT

Try surrounding sid with quotes
i.e

searchquery_export = "search `notable`| search orig_sid=\"" + sid + "\" | table event_id"

I use searchAll/searchOne method of Splunk for executing search from python script which is easier compare to creating job. Sharing it for your reference.

import splunk.search as splunkSearch

labels = splunkSearch.searchAll('| inputlookup abc_workload_mapping_lookup | search workload_d="%s" hostname = "*" | dedup type | table href type' % workload_uuid, sessionKey=session_key, namespace=app_name, owner='nobody')
    labelsList = []

Re: creating splunk search in python script

thambisetty — Tue, 28 Nov 2017 07:03:17 GMT

Thanks for your answer.

How did you get the session key?

Re: creating splunk search in python script

hardikJsheth — Tue, 28 Nov 2017 08:51:44 GMT

If it's python script, you need to set "passAuth" varriable in inputs.conf.

passAuth = splunk-system-user

Splunk will pass session key as argument to your python script which can be accessed with following line.

sessionKey = sys.stdin.readline().strip()

In case it's AR action, you can access it from modaction.session_key.

Re: creating splunk search in python script

hardikJsheth — Fri, 01 Dec 2017 10:03:57 GMT

@thambisetty did you resolve your problem? It will be helpful for all if you can provide your solution here .

Re: creating splunk search in python script

thambisetty — Tue, 29 Sep 2020 17:02:52 GMT

script is working. when I run it separately, but when i include this in the script its not working.

what i have observed so far:
I have created two python files 1. adaptive response which will take the payload from notable event and create ticket in HPSM. 2. while updating the ticket the ticket I need to get event_id by running search against notable with filter orig_sid.
I am calling 2nd script from first script main function. and the second script is being called with the orig_id parameter and giving job_id in logging but not giving results. this is where I got stuck up.

if I run second script alone by passing static values its working fine.

please let me know your experiences if you guys have already seen this before.