topic Re: How to execute external script to manipulate file from search command in Splunk Search

How to execute external script to manipulate file from search command

sieutruc — Thu, 18 Oct 2012 14:04:03 GMT

hello,

i have a testing python script as:
test.py

  fo=open("c:/test.txt",'w')
  fo.write("hello")
  fo.close()

and put in \etc\apps\Search\bin

\etc\apps\Search\local\commands.conf is:

[test]
filename= test.py

I execute in search :

| test

Error "you have insufficient privileges to perform this action", i tried the other way, but unsuccessful

Can you show me what i should do to run that script ? (i run with admin role)

Re: How to execute external script to manipulate file from search command

Gilberto_Castil — Thu, 18 Oct 2012 16:29:26 GMT

Hello there,

There is difference between a custom command and invoking an external script with Splunk. There are also different applications to each one of these items. Personally, I use custom commands to receive search results and manipulate for presentation -where the search language does not meet my requirements or for specific functionality. I run external scripts when I want to pass results of a search to an external action or process.

Without the context of your intent, here are the mechanics to either case.

To use a custom command you will need to embed your code around a wrapper. This is explained here.

import sys,splunk.Intersplunk
results = []

try:
   results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

############### YOUR CODE HERE ##############
   fo=open("c:/test.txt",'w')
   fo.write("hello")
   fo.close()

############### DATA MANIPULATION HERE ##############

except:
   import traceback
   stack =  traceback.format_exc()
   results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

On the other hand, if you just want to run an script and pass some variables to it, the process is different. The Splunk Language provides a 'script' command which allows for the call. That is documented here. You would use this on your search like this:

index="blah" sourcetype="blah"... | script python test.py param1 param2

I hope this helps.

Happy Splunkin'

Re: How to execute external script to manipulate file from search command

sieutruc — Fri, 19 Oct 2012 13:05:51 GMT

it's perfect 🙂 thank you so much .

Re: How to execute external script to manipulate file from search command

sieutruc — Fri, 19 Oct 2012 13:14:41 GMT

can i ask one more ? if i want to show on splunk web the message that indicates the status of the execution script , is it running or terminated with succesfull or errorous notification, what function should i use ?

Re: How to execute external script to manipulate file from search command

Gilberto_Castil — Wed, 24 Oct 2012 13:30:15 GMT

Hello and sorry for the late reply. The school of thought is that if you are not looking to manipulate search results with the script, then the two methods above are not the best approach.

Splunk has a scripted input mechanism which allows you to schedule the execution of a script and the capture the stdout message from the script. The result is a record of the notification obtained by the script and its execution state. That would give you the result you desire.

If you do not wish to use Splunk for scheduling, dump the script results to a file and then have Splunk index that file.

Re: How to execute external script to manipulate file from search command

harshjets — Thu, 14 Feb 2013 12:37:01 GMT

This Link
"To use a custom command you will need to embed your code around a wrapper. This is explained here."
is no longer available can you please let me know where can I find this info.

Re: How to execute external script to manipulate file from search command

Gilberto_Castil — Thu, 07 Mar 2013 20:14:16 GMT

Hello harshjets, I have upated the link.

http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/SearchScripts

Re: How to execute external script to manipulate file from search command

shaileshmali — Thu, 23 Jun 2016 21:34:27 GMT

I have splunk script below which takes input can you help how to use splunk intersplunk for this script to take input and provide output

def base36encode(number):
if not isinstance(number, (int, long)):
raise TypeError('number must be an integer')
if number < 0:
raise ValueError('number must be positive')

alphabet, base36 = ['0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ', '']

while number:
    number, i = divmod(number, 36)
    base36 = alphabet[i] + base36

return base36 or alphabet[0]

def base36decode(number):
return int(number, 36)

print(base36encode(1412823931503067241))
print(base36decode('AQF8AA0006EH'))