topic Re: Custom command arguments in Getting Data In

Custom command arguments

alvaro_garcia — Tue, 19 Dec 2017 20:16:02 GMT

Hello Splunkers!
I have a custom command, that execute a perl script with argument.
Script.pl
//////////////

!/usr/bin/perl

use strict;
use warnings;
my $curlResponseCode = curl -v -H "Content-Type: application/xml" -X POST -H "X-X-API-Key: f2c3a693ef31HHHH7b2a294f0f9e5b84413" -d "<AAA><BBBB>AAA</BBBB><CCCC>50</CCCC><VVVV>$ARGV[0]</VVVV></AAAA>" "http://www.URL.com/test.xml";
///////////////////////
Commands.conf
[myscript]
type=perl
filename = script.pl

This script writes in corporate web site information.
I execute perl script.pl test, the script work fine.
I use the following search:
index=XXX
| stats count by field1
| script myscript field1
I need the value of field1, no the string field1.
I tried with ‘field1’, ‘$field1’ …. And any combination that I imagine
Any idea?
Thnks!

Re: Custom command arguments

harsmarvania57 — Wed, 20 Dec 2017 07:59:22 GMT

Answer given on this question might help you https://answers.splunk.com/answers/385936/unable-to-execute-python-script-could-be-splunk-li.html but they are for python, you need to modify your perl script accordingly and give it a try.

Re: Custom command arguments

alvaro_garcia — Wed, 20 Dec 2017 10:54:53 GMT

I adapted my perl script to python:

import requests,sys,splunk.Intersplunk
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
argument1 = argvals.get("field1")
print argument1
url= "http://www.XXXXXcom/AAA.xml"
headers = {'API-Key': 'f2c3a693esb2ad02f0f9e5b84413',
'Content-Type': 'application/xml'}
data = "% (argument1)"
r = requests.post(url, data=data, headers=headers)

But my problem now is how to pass the value of search field to argument1, i tried:
https://answers.splunk.com/answers/409554/how-to-pass-hostname-to-a-custom-alert-script.html and others. But I not an expert in python

Thanks

Re: Custom command arguments

harsmarvania57 — Wed, 20 Dec 2017 16:06:20 GMT

I have created below sample script in python which finds hostname from output and ingest data into splunk using HTTP Event Collector

test.py

import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
     head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
     url="http://localhost:8088/services/collector/event"
     results = splunk.Intersplunk.getOrganizedResults()
     item = results[0]
     for a in item:
          b = a['host']
     data={"sourcetype": "test", "event": b}
     r = requests.post(url, data=json.dumps(data), headers=head)
except Exception, e:
    splunk.Intersplunk.parseError(e)

commands.conf

[testcommand]
filename = test.py
local = true
supports_rawargs = false

Splunk query which I am running

index=_internal | stats count by host | testcommand

I hope this helps to create your own script based on your requirement.

Re: Custom command arguments

alvaro_garcia — Thu, 21 Dec 2017 08:10:15 GMT

Hello, thanks work fine!!
Thnks a lot.
Only a appreciation I need to change except Exception, e: to except Exception as e:

Re: Custom command arguments

alvaro_garcia — Thu, 21 Dec 2017 08:14:02 GMT

harsmarvania57 post as answer, and I set as correct

Re: Custom command arguments

harsmarvania57 — Thu, 21 Dec 2017 08:16:33 GMT

Glad to hear that it worked, I have converted my comment as answer please accept and upvote it.

Re: Custom command arguments

alvaro_garcia — Fri, 22 Dec 2017 07:29:58 GMT

Hi, the last question, ^_^
My query returns many result, I need to made a request for result.

Thanks!

Re: Custom command arguments

harsmarvania57 — Fri, 22 Dec 2017 08:48:11 GMT

Here is updated python script

import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
     head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
     url="http://localhost:8088/services/collector/event"
     results = splunk.Intersplunk.getOrganizedResults()
     item = results[0]
     for a in item:
       b = a['host']
       data={"sourcetype": "test", "event": b}
       r = requests.post(url, data=json.dumps(data), headers=head)
except Exception as e:
    splunk.Intersplunk.parseError(e)

If it works then you can upvote my comment.

Re: Custom command arguments

alvaro_garcia — Fri, 22 Dec 2017 09:24:00 GMT

I am using r = requests.post(url, data=data2, headers=head), my data is in xml format

Re: Custom command arguments

harsmarvania57 — Fri, 22 Dec 2017 09:35:04 GMT

Which value are you fetching from Splunk output url or data2 ? If you can paste your script here then it will be helpful.

Re: Custom command arguments

alvaro_garcia — Fri, 22 Dec 2017 09:41:16 GMT

!/usr/bin/env python

import requests,sys,splunk.Intersplunk
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
head={"X-API-Key": "bca3cd217870968ddd4a6a2", "Content-Type": "application/xml"}
url="https://mydomain/host"

  results = splunk.Intersplunk.getOrganizedResults()
  item = results[0]
  for a in item:
                  AA = a['AA']
                 BB = a['tBB']
                  data2="<field1><field2>2</field2><field3>"+ AA +"</field3><field4>"+ BB +"</field4></field1>"
                  r = requests.post(url, data=data2, headers=head)

except Exception as e:
splunk.Intersplunk.parseError(e)

Re: Custom command arguments

harsmarvania57 — Fri, 22 Dec 2017 10:09:52 GMT

When you run above script what problem are you facing? and can you please remove !/usr/bin/env python from your script because splunk will use inbuilt python.

Re: Custom command arguments

alvaro_garcia — Tue, 26 Dec 2017 06:21:53 GMT

ok, thanks right, I remove the !/usr/bin/env python