topic Re: How we can run splunk python sdk code in splunk as scripted input? in Splunk Dev

How we can run splunk python sdk code in splunk as scripted input?

ajitshukla61116 — Fri, 19 Apr 2019 10:55:00 GMT

In this case ,I have Index "A" with Two fields "Latitude" and "Longitude" ,now I want my python script fetch these two fields from Index"A" and calculated distance (using internal logic) and then indexed this distance field into Index "B".

For this case I have used splunk python sdk to get indexed data ,now I want this script will run by splunk as scripted input to ingest data in index "B" .

Please help me out do complete this task.

Re: How we can run splunk python sdk code in splunk as scripted input?

niketn — Mon, 22 Apr 2019 03:25:36 GMT

@ajitshukla61116 , what is the condition for reading index A and pushing to index B? based on the description seems like this should be a Scheduled Search with to calculate distance between geolocation Alert Action, then use collect command to insert to a new index. (With option 1 below this all can be done within splunk using SPL, without any need of python coding).

However, you can try one of the following options. If option 1 does not meet your requirement you can create custom command as per option 2.

Option 1: can you refer to the following answer post by @MuS which deals with Distance between two geo-locations: https://answers.splunk.com/answers/317935/calculating-distances-between-points-with-geoip-us.html
This can be done directly via SPL.

Option 2: If this does not help you can read the Custom Command Splunk Dev Example and create your own custom command on similar lines: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Option 3: You can use the script command to execute script stored in bin folder of the app. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script

Option 4: Custom Alert Action to calculate geolocation and collect to index: https://login.splunk.com/index.php?module=roles&func=showloginform&redirecturl=https://docs.splunk.com/Documentation/Splunk/ltest/AdvancedDev/ModAlertsIntro

Re: How we can run splunk python sdk code in splunk as scripted input?

ajitshukla61116 — Thu, 25 Apr 2019 10:41:26 GMT

thanks @niketnilay for these options.
Actually I have one index which have multiple fields like latitude,Longitude ,"FieldA","FieldB","FieldC".Using these fields I have to calculate "distance" and again ingest "distance" filed into same index for every events.
For distance calculation I have to use python script because distance calculation logic can not be implemented on splunk search.

Note:in this case I will get already ingested data .I have calculate distance and add distance filed to same index.

I am trying custom command but I am not able to fetch more than two variable from splunk side .I don't know why I am getting error code 1.
please check my code :
import sys
import splunk.Intersplunk
import json
import requests as req

def calculate_distance(lat,long,fieldA,fieldB,fieldC):

   #internal logic will be here


return distance

def collect_events():
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
for result in results:
lat=result["Latitude"]
long=result["Longitude"]
fieldA=result["FieldA"]
fieldB=result["FieldB"]
fieldC=result["FieldC"]
result[distance]=calculate_distance(lat,long,fieldA,fieldB,fieldC)
splunk.Intersplunk.outputResults(results) 
collect_events()