All Apps and Add-ons

Is the Scheduled Export of Indexed Data (SEND) to File app the best way to schedule an export to sftp?

Splunk Employee
Splunk Employee

I'm looking at the Scheduled Export of Indexed Data (SEND) to File app from Splunkbase
https://splunkbase.splunk.com/app/2914/

If I understand it as it stands - it is only going to try and write an alert output to a directory/file visible to the search head. I am looking for ways to push (scheduled search/alert) CSV to an SFTP location. And crucially, this will be from Splunk Cloud.

Is this app a good way to do this? Would they basically just edit the sendfile.py to send to their sftp location and get that vetted as if it was their app?

Please also comment how this approach differs from a scheduled search with script output.

0 Karma

New Member

Hello, @Damien Dallimore I am using your Send to File app and see the following error in the View log events of the app.

This the search it produces: index=_internal sourcetype=splunkd component=sendmodalert action="sendfile"

Error 1: Alert action script returned error code=2 OR Failed trying to send file
Error 2: 01-30-2019 17:04:27.261 -0500 ERROR sendmodalert - action=sendfile STDERR - [Errno 2] No such file or directory: u'\\WS101\FTPFromAIX\SPLUNKDemandReports/Fax_Test2'

I believe under the Send to File - Trigger Actions - Directory Output - its unable to find that server path.
Can you share some guidance (or an example) on how that path should be entered?
I placed the complete for i.e: \WS101\FTPFromAIX\SPLUNKDemandReports
Note: It's a Windows server.

Thank you,
ARock

0 Karma

Ultra Champion

You understand correctly.

The intent of that App I put on Splunkbase is to demonstrate how you might implement a scheduled export of data using a Modular Alert.

So you can take the code and then use it as a base template for your use case , in your case , SFTP export.

You can take a copy of the code from Splunkbase or get it here :

https://github.com/damiendallimore/SplunkModularInputsPythonFramework/tree/master/implementations/se...

Then add in your SFTP logic (only a couple of lines in Python most likely), dummy code example only…..

import pysftp
import sys,os
import json


def send_file(file,settings):
    print >> sys.stderr, "DEBUG Sending file with settings %s" % settings

    param_sftp_host = settings.get('sftp_host')
    param_username = settings.get('username')
    param_password = settings.get('password')

    try: 

        srv = pysftp.Connection(host=param_sftp_host, username=param_username,password=param_password)
        srv.put(file)
        srv.close()

        return True 
    except Exception as tre: 
        print >> sys.stderr,tre 
        return False 
    except: 
        e = sys.exc_info()[0] 
        print >> sys.stderr, "ERROR Error sending file: %s" % e 
        return False 

Also :

Setup the sftp_host/username/password as parameters the user can enter when the setup their alert via SplunkWeb
Rename your App
Add some docs
Add app icons

Then bundle up your new App , publish to Splunkbase , and submit for Cloud vetting.

0 Karma