How does one create inline Python scripts for use in Splunk searches?

dc5553 — Mon, 24 Aug 2015 13:27:11 GMT

I am creating a simple script to take a hex(base 16) encoded field and convert it to readable text. For this endeavor, I have decided to use the built-in Python function for strings "<string>.decode("hex")." I would like to use this script in a search "pipeline" running a field called packet through the statement and creating a new field of decoded text in the process.

I have read the documentation for the API splunk.Intersplunk, however, I am not 100% understanding what exactly that I need to use to complete my script. Specifically, from the examples I have seen, I do not understand what the following lines do for me?

(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)

Additionally in the case of collecting results and creating the new field, is the following line needed?

results = splunk.Intersplunk.readResults(None, None, False)

So you are tracking this is what I have thus far and I believe I am close.

import sys
import splunk.Intersplunk
import string


#Program takes hex encoded string from a field and outputs value in search results at the gui
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv) #debug to see arguments I think Does it print these out?
results = splunk.Intersplunk.readResults(None, None, False) 

str=""

if len(sys.argv) < 2: # make sure there is an argument passed if not return error
    splunk.Intersplunk.parseError("[!] No arguments provided, please provide one argument.")
    sys.exit(1)

else: #grab the string from sys.argv and make it uppercase because I like uppercase hex strings :)
    str=sys.argv[1]
    str=str.upper()


if all(char in string.hexdigits for char in str): # make sure all characters are hex    
    decoded_string = str.decode("hex")
    splunk.Intersplunk.outputResults(decoded_string)


else: # return an error if its not a hex string
    splunk.Intersplunk.parseError("[!] String provided is not [A-F 0-9], please validate your inputs")
    sys.exit(1)

Also I am aware of the need for the STANZA setting below.

[decode_hex]
TYPE = python
FILENAME = decode_hex.py

Re: How does one create inline Python scripts for use in Splunk searches?

jensonthottian — Tue, 29 Sep 2020 07:04:07 GMT

After creating the python script, copy the script to $SPLUNK_HOME/etc/system/local directory.
reate or edit existing authorize.conf
and commands.conf.

In commands.conf add:

[youcommandname]
FILENAME = yourscript.py

In authorize.conf add:

[capability::run_script_yourcustomcommand]

[role_admin]
run_script_yourcustomcommand = enabled

Restart Splunk to test the command.

Re: How does one create inline Python scripts for use in Splunk searches?

dc5553 — Mon, 24 Aug 2015 19:21:20 GMT

This does not answer my question. Please read the full text of what i wrote. Explain how i pass values not stanza or administrative settings please

topic Re: How does one create inline Python scripts for use in Splunk searches? in Splunk Search

How does one create inline Python scripts for use in Splunk searches?

Re: How does one create inline Python scripts for use in Splunk searches?

Re: How does one create inline Python scripts for use in Splunk searches?