Alerting

How to make an HTTPS POST request via /opt/splunk/bin/python to get alert script to send alert details to my server?

tdepuy
Path Finder

Hey guys,
I'm trying to get my Alert script to send details of the alert to my server. The server only allows https connections, and it seems the built in python does not support ssl:

boba@splunk:/opt/splunk/bin/scripts$ /opt/splunk/bin/python
Python 2.7.5 (default, Sep  6 2014, 18:26:42)
[GCC 4.0.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> import socket
>>> socket.ssl
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: 'module' object has no attribute 'ssl'
>>>
>>>
>>> import httplib
>>> httplib.HTTPSConnection
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: 'module' object has no attribute 'HTTPSConnection'
>>>

Ideally, I would like to have no dependencies on the environmental python, and only use Splunk's python. How can I make an HTTPS POST request via /opt/splunk/bin/python?

Thanks!
--- Travis

0 Karma
1 Solution

jrodman
Splunk Employee
Splunk Employee

This happens when you run Splunk's python without the Splunk environment.

Please try

$ /opt/splunk/bin/splunk cmd python

View solution in original post

jrodman
Splunk Employee
Splunk Employee

This happens when you run Splunk's python without the Splunk environment.

Please try

$ /opt/splunk/bin/splunk cmd python

tdepuy
Path Finder

Well, I think that works?

boba@splunk:/opt/splunk/bin$ /opt/splunk/bin/splunk cmd python
Python 2.7.5 (default, Sep  6 2014, 18:26:42) 
[GCC 4.0.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 
>>> 
>>> import socket
>>> socket.ssl
<function ssl at 0xb74aa1b4>
>>> 
>>> 

What are the implications of that being successful?

0 Karma

tdepuy
Path Finder

Darn, then it is a case of me barking up the wrong tree? I was trying to isolate why my script didn't seem to be working, so I went to the shell to test and I ran into these SSL errors. From what you are saying, when Splunk calls the Alert Script, it will use essentially that /opt/splunk/bin/splunk cmd python command to run my script, Ergo if my alert script works from there Splunk should have no problems calling it... Which is good news

0 Karma

jrodman
Splunk Employee
Splunk Employee

Well, it's more before splunkd ever starts in the first place, splunk start will have set up LD_LIBRARY_PATH, PATH, PYTHONPATH and so on.

If your script is failing and you don't get any good information, you could start by looking in splunkd.log to see if the stderr is ending up there. For a lot of problems it's easiest to just copy-pasta a system alert's logging setup and start dumping debug statements to python.log

0 Karma

tdepuy
Path Finder

Yep, definitely a case of barking up the wrong tree. The script was throwing an SSL error that I apparently wasn't logging, and it was painfully obvious when i ran that /opt/splunk/bin/splunk cmd python with my script. Once I remedied the SSL error the HTTPS request was fine.
Thank you for the nudge. I had nearly given up hope.

0 Karma

jrodman
Splunk Employee
Splunk Employee

I don't know how to answer this question. The implications are that you can do what you wanted.

The splunk environment will already be in place, of course, by the time splunk runs your alert script. For manual testing though, you'll have to use that recipe, or alternatively . /opt/splunk/bin/setSplunkEnv which sets up a shell to have that environment. That first dot is a command, and the path is the argument. I don't personally like setting up my shell with the Splunk env, as it can get system utilities to use the Splunk-provided libraries (which usually works but I'd prefer to avoid it). But if you're not doing system-administration in that config it's probably not a big deal.

0 Karma

tdepuy
Path Finder

Does anyone else get this error from python packaged with their splunk instance?

0 Karma

tdepuy
Path Finder

Oh, I get similar errors for urllib, urllib2 and httplib2.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...