I'm looking at the Scheduled Export of Indexed Data (SEND) to File app from Splunkbase
If I understand it as it stands - it is only going to try and write an alert output to a directory/file visible to the search head. I am looking for ways to push (scheduled search/alert) CSV to an SFTP location. And crucially, this will be from Splunk Cloud.
Is this app a good way to do this? Would they basically just edit the sendfile.py to send to their sftp location and get that vetted as if it was their app?
Please also comment how this approach differs from a scheduled search with script output.
Hello, @Damien Dallimore I am using your Send to File app and see the following error in the View log events of the app.
This the search it produces: index=_internal sourcetype=splunkd component=sendmodalert action="sendfile"
Error 1: Alert action script returned error code=2 OR Failed trying to send file
Error 2: 01-30-2019 17:04:27.261 -0500 ERROR sendmodalert - action=sendfile STDERR - [Errno 2] No such file or directory: u'\\WS101\FTPFromAIX\SPLUNKDemandReports/Fax_Test2'
I believe under the Send to File - Trigger Actions - Directory Output - its unable to find that server path.
Can you share some guidance (or an example) on how that path should be entered?
I placed the complete for i.e: \WS101\FTPFromAIX\SPLUNKDemandReports
Note: It's a Windows server.
You understand correctly.
The intent of that App I put on Splunkbase is to demonstrate how you might implement a scheduled export of data using a Modular Alert.
So you can take the code and then use it as a base template for your use case , in your case , SFTP export.
You can take a copy of the code from Splunkbase or get it here :
Then add in your SFTP logic (only a couple of lines in Python most likely), dummy code example only…..
import pysftp import sys,os import json def send_file(file,settings): print >> sys.stderr, "DEBUG Sending file with settings %s" % settings param_sftp_host = settings.get('sftp_host') param_username = settings.get('username') param_password = settings.get('password') try: srv = pysftp.Connection(host=param_sftp_host, username=param_username,password=param_password) srv.put(file) srv.close() return True except Exception as tre: print >> sys.stderr,tre return False except: e = sys.exc_info() print >> sys.stderr, "ERROR Error sending file: %s" % e return False
Setup the sftp_host/username/password as parameters the user can enter when the setup their alert via SplunkWeb
Rename your App
Add some docs
Add app icons
Then bundle up your new App , publish to Splunkbase , and submit for Cloud vetting.