topic Re: Using a Python script to call an API in Getting Data In

Using a Python script to call an API

bazcurtis178 — Sat, 28 Oct 2017 11:05:45 GMT

Hi,

I am trying to use the Sophos Central API. It uses a Python script to download the data into a file. I have successfully run this on my Mac, but I am not sure where to start in Splunk. I thought I would drop the script in $SPLUNK_HOME/bin/scripts, but the script is not seen.

I assume Splunk will then look at the downloaded file and index it?

Any help would be much appreciated.

Re: Using a Python script to call an API

jkat54 — Sat, 28 Oct 2017 12:11:06 GMT

Check out inputs.conf section regarding scripted inputs.

The scripted input indexes whatever is coming to stdout.

If your script downloads data to a file, perhaps a slight modification would make it print the data to stdout.

Another option is making the script run as a cron job and then using splunk inputs.conf monitor stanza to monitor the location that the script is putting data files into.

Re: Using a Python script to call an API

bazcurtis178 — Sat, 28 Oct 2017 14:43:09 GMT

Thanks for the reply. My first issue is getting the script to run. How do I get the script add to at least run once?

Re: Using a Python script to call an API

Damien_Dallimor — Sat, 28 Oct 2017 18:51:18 GMT

Having a quick look at the docs , https://community.sophos.com/kb/en-us/125169/ and the example script , https://github.com/sophos/Sophos-Central-SIEM-Integration

It would be very easy to use the REST API Modular Input and setup an input with Sophos URL , Auth headers, Checkpointing etc.. as detailed in the docs and skip the need to save a downloaded file to disk and rather just stream this data directly in to Splunk.

Re: Using a Python script to call an API

jkat54 — Sat, 28 Oct 2017 20:01:32 GMT

This link does a pretty good job of explaining it:

https://sublimerobots.com/2017/01/simple-splunk-scripted-input-example/

The inputs.conf tells splunk to execute the script based on whatever interval you provide.

Re: Using a Python script to call an API

bazcurtis178 — Mon, 30 Oct 2017 17:33:18 GMT

Thanks for the replies. I will take a look at that and confirm the answer once tested. I like the look of the Rest API. I was hoping to get the data straight in to Splunk rather than download the file and get the data from there.

Re: Using a Python script to call an API

jkat54 — Mon, 30 Oct 2017 18:42:57 GMT

That’s exactly what the rest api modular input would do. Same for a scripted input writing to stdout.

Re: Using a Python script to call an API

bazcurtis178 — Mon, 06 Nov 2017 17:56:00 GMT

I have finally got back to this. Sorry for all the questions, but I appreciate the help.

I assumed that I would paste in the Header API key or API Access URL + Headers into the setup page, but I am not seeing a place for that. The URL is obvious, but where do the API tokens go? With only two to choose from I thought it would be simple?

Any other pointers would be most welcome.

Re: Using a Python script to call an API

Damien_Dallimor — Mon, 06 Nov 2017 23:58:48 GMT

I have underlined where you enter 1) URL 2) HTTP Header propertys 3) URL parameters

Re: Using a Python script to call an API

bazcurtis178 — Tue, 07 Nov 2017 20:38:36 GMT

Thanks Damien. I will take a look at this on Friday.