topic Re: Passing search results to external python script in Splunk Search

Passing search results to external python script

utpress — Mon, 28 Sep 2020 11:28:27 GMT

I know it's just my lack of knowledge with Splunk causing me some grief here but...

I want to pass search results to an external python script.

Here is my search:

sourcetype="*WinEventLog:Security" (EventCode=528 OR EventCode=4624) AND Logon_Type=10 | eval event_date = strftime(_time, "%D %T %P") | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | script python alogin User Source_Network_Address host

My python script merely sends me an email with what I thought would be the field values I passed (User, Source_Network_Address and host).

But I'm actually getting the words "User", "Source_Network_Address" and "Host" in the email.

Of course I tested the script and if I run the script - "python alogin.py nicholas 10.0.10.99 SERVER" it works and I'm sent an email with the three values passed as expected.

What am I missing here?

Thanks in advance.

Re: Passing search results to external python script

dcparker — Wed, 20 Mar 2013 13:52:43 GMT

Had any luck with this?

Re: Passing search results to external python script

sanurd — Fri, 19 Jun 2015 03:26:44 GMT

I have a similar requirement of passing search results as arguments to a python script. Has anyone been able to workaround this problem ?

Re: Passing search results to external python script

MuS — Fri, 19 Jun 2015 04:21:10 GMT

Hi utpress,

your script must import splunk.Intersplunk and use the following two lines to read results from previous searches:

myresults,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() # getting search results form Splunk
for r in myresults: # loop the results

Hope that helps ...

cheers, MuS

Re: Passing search results to external python script

annalisefolsen — Mon, 20 Jun 2016 13:34:18 GMT

Hi MuS,

I tried to import Intersplunk, but it can't find the import (the module cannot be found). Is there a special download that you need other than the SDK? Also, if you can direct me to more information on this module that would be wonderful! I have not been able to find any documentation so far.

Thank you!

Re: Passing search results to external python script

MuS — Mon, 20 Jun 2016 21:42:53 GMT

@annalisefolsen,

Try to run this on your Splunk server (assuming it's linux) :

 /opt/splunk/bin/splunk cmd python -c "import splunk.Intersplunk"

This will not fail. Remember to use Splunk's Python in your script and not the OS one located in /usr/bin/.
You can find some documentations here http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Writeasearchcommand and here http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Hope this helps ...

cheers, MuS

Re: Passing search results to external python script

annalisefolsen — Tue, 21 Jun 2016 15:26:21 GMT

Thank you. I've run it in Splunk and it is now able to find module.

Re: Passing search results to external python script

annalisefolsen — Wed, 29 Jun 2016 19:52:03 GMT

Hi MuS,

I thought that Intersplunk could change the event data when it is output (and not just display). I have done this and nothing has changed. Is this possible, or do I have to find another way to do this?

Thanks again for your help!

Re: Passing search results to external python script

MuS — Wed, 29 Jun 2016 20:37:13 GMT

@annalisefolsen , I don't know what you are trying to achieve - but if you look at this example here http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Customsearchcommandshape you will learn how to pass a Splunk search result into a python script, do stuff with the result and return it into Splunk.

Re: Passing search results to external python script

woodcock — Sat, 18 Feb 2017 22:08:32 GMT

This isn't the "right" way to do this, but it is the most expedient and it allows you to recycle your traditional alert script for use in regular searches, too. This example assumes that you will be passing 2 fields to the scirpt: scr_ip and host; you will need to adjust slightly for the fields that you will be using.

Insert this code to your MyAlertScript.py code right before your existing code that accesses the results.csv.gz file in argv[8]:

# In order to facilitate Event Workflow Actions using runshellscript,
# we will hijack the arguments in one special case as follows:
#    1(sys.argv[1]) = '1'
#    2(sys.argv[2]) = '"<src_ip>","<host>"'
#    3(sys.argv[3]) = 'Hack'
#    4(sys.argv[4]) = 'to'
#    5(sys.argv[5]) = 'run'
#    7(sys.argv[6]) = 'from'
#    6(sys.argv[7]) = 'runshellscript'
#    8(sys.argv[8]) = * <- DO NOT CHECK because splunk modifieds this on the way in
# If in this format we will pull the data directly out of the 2nd argument,
# instead of out of the restults file.
specialCase = False # initialize to FALSE
if ((sys.argv[1] == '1') and (sys.argv[3] == 'Hack') and (sys.argv[4] == 'to') and
    (sys.argv[5] == 'run') and (sys.argv[6] == 'from') and
    (sys.argv[7] == 'runshellscript')):
    print "SPECIAL CASE!\n" # Special case!
    specialCase = True # make sure we delete this file at the end!

    fnz = workdir + 'results.csv.gz'
    with gzip.open(fnz, 'wb') as OFH:
       OFH.write('src_ip,host\n')
       OFH.write(sys.argv[2])
    OFH.close()

    sys.argv[8] = fnz
    #print "SPECIAL CASE: ARGV8=<" + sys.argv[8] + "> fnz=<" + fnz + ">\n"

Then at the bottom, add this, too:

if (specialCase): os.remove(sys.argv[8]) # delete fake zip file we made

Next you need a macro like this (to abstract away the trickery):

[MyScript]
definition = table src_ip host\
| map maxsearches=5000 search="|runshellscript MyAlertScript.py 1 \"\\\"\\\"$src_ip$\\\",\\\"$host$\\\"\\\"\" Hack to run from runshellscript 8"
iseval = 0

Now, to use it, you just do this:

My Search To Get Events With src_ip And host Here | `MyScript`

SPECIAL WARNING! This will not scale nicely if you pass a large number of results to the script because of the map command but it works GREAT for small numbers of events.

Re: Passing search results to external python script

suryaavinash — Wed, 21 Mar 2018 01:34:43 GMT

Hi ,

I have a similar requirement and came across below solution from a different post. Check if it helps.

https://answers.splunk.com/answers/149836/how-to-run-an-alert-script-on-field-values-generated-in-splunk.html

Re: Passing search results to external python script

srinivasup — Fri, 27 Jul 2018 16:56:09 GMT

can you MyAlertScript.py full code for reference.

Re: Passing search results to external python script

thambisetty — Fri, 27 Jul 2018 18:29:07 GMT

created an add-on which will call python script with result file.

you should have python/shell script in the bin directory to be called by this script with results.

I will post this add-on to splunk base soon.