hi all, we are using the python script below to pass a JSON structure from an Splunk alert.
I need to pass 2 more custom strings but I am not sure how.
Inside a Splunk alert I have the "Description" field which I could use to type my custom string but how do I pass that down to the script as an argument?
Also, I would need to pass the 2nd custom string as another argument. How do I do that?
Here is my python script:
import json
import requests
import sys
import pprint
url = 'http://10.10.10.10:8080/api/2.0/ICTAPIHandlers/JSON.php'
if len (sys.argv) != 9 :
print("Usage: python ict.py count terms query name reason url tags path")
sys.exit (1)
searchCount = sys.argv[1] # $1 - Number of events returned
searchTerms = sys.argv[2] # $2 - Search terms
searchQuery = sys.argv[3] # $3 - Fully qualified query string
searchName = sys.argv[4] # $4 - Name of saved search
searchReason = sys.argv[5] # $5 - Reason saved search triggered
searchURL = sys.argv[6] # $6 - URL/Permalink of saved search
searchTags = sys.argv[7] # $7 - Always empty as of 4.1
searchPath = sys.argv[8] # $8 - Path to raw saved results in Splunk instance (advanced)
data = {"searchCount":searchCount, "searchTerms":searchTerms, "searchQuery":searchQuery, "searchName":searchName, "searchReason":searchReason, "searchURL":searchURL,"searchTags":searchTags,"searchPath":searchPath }
data_json = json.dumps(data)
headers = {'Content-type': 'application/json'}
response = requests.post(url, data=data_json, headers=headers)
pprint.pprint(response.json())
pprint.pprint(response.json()['json'])
Thank you
See my unaccepted answer here:
https://answers.splunk.com/answers/41949/passing-search-results-to-external-python-script.html
See my unaccepted answer here:
https://answers.splunk.com/answers/41949/passing-search-results-to-external-python-script.html
sorry but I didnt understand that post. Bear in mind that the 2 extra custom strings I need, I am trying to type them somewhere inside the alert and pass as a argument.
If that is not possible I could pull that info from a static file but that would only appear in the results of the query. I am new to Splunk; it is still a black box for me. Thanks.
My answer does exactly that. It is a complete walk-through. Just give the code a try.