Archive
Highlighted

Custom command arguments

Explorer

Hello Splunkers!
I have a custom command, that execute a perl script with argument.
Script.pl
//////////////

!/usr/bin/perl

use strict;
use warnings;
my $curlResponseCode = curl -v -H "Content-Type: application/xml" -X POST -H "X-X-API-Key: f2c3a693ef31HHHH7b2a294f0f9e5b84413" -d "<AAA><BBBB>AAA</BBBB><CCCC>50</CCCC><VVVV>$ARGV[0]</VVVV></AAAA>" "http://www.URL.com/test.xml";
///////////////////////
Commands.conf
[myscript]
type=perl
filename = script.pl

This script writes in corporate web site information.
I execute perl script.pl test, the script work fine.
I use the following search:
index=XXX
| stats count by field1
| script myscript field1
I need the value of field1, no the string field1.
I tried with ‘field1’, ‘$field1’ …. And any combination that I imagine
Any idea?
Thnks!

0 Karma
Highlighted

Re: Custom command arguments

SplunkTrust
SplunkTrust

Answer given on this question might help you https://answers.splunk.com/answers/385936/unable-to-execute-python-script-could-be-splunk-li.html but they are for python, you need to modify your perl script accordingly and give it a try.

0 Karma
Highlighted

Re: Custom command arguments

Explorer

I adapted my perl script to python:

import requests,sys,splunk.Intersplunk
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
argument1 = argvals.get("field1")
print argument1
url= "http://www.XXXXXcom/AAA.xml"
headers = {'API-Key': 'f2c3a693esb2ad02f0f9e5b84413',
'Content-Type': 'application/xml'}
data = "% (argument1)"
r = requests.post(url, data=data, headers=headers)

But my problem now is how to pass the value of search field to argument1, i tried:
https://answers.splunk.com/answers/409554/how-to-pass-hostname-to-a-custom-alert-script.html and others. But I not an expert in python

Thanks

0 Karma
Highlighted

Re: Custom command arguments

SplunkTrust
SplunkTrust

I have created below sample script in python which finds hostname from output and ingest data into splunk using HTTP Event Collector

test.py

import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
     head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
     url="http://localhost:8088/services/collector/event"
     results = splunk.Intersplunk.getOrganizedResults()
     item = results[0]
     for a in item:
          b = a['host']
     data={"sourcetype": "test", "event": b}
     r = requests.post(url, data=json.dumps(data), headers=head)
except Exception, e:
    splunk.Intersplunk.parseError(e)

commands.conf

[testcommand]
filename = test.py
local = true
supports_rawargs = false

Splunk query which I am running

index=_internal | stats count by host | testcommand

I hope this helps to create your own script based on your requirement.

View solution in original post

0 Karma
Highlighted

Re: Custom command arguments

Explorer

Hello, thanks work fine!!
Thnks a lot.
Only a appreciation I need to change except Exception, e: to except Exception as e:

0 Karma
Highlighted

Re: Custom command arguments

Explorer

harsmarvania57 post as answer, and I set as correct

0 Karma
Highlighted

Re: Custom command arguments

SplunkTrust
SplunkTrust

Glad to hear that it worked, I have converted my comment as answer please accept and upvote it.

0 Karma
Highlighted

Re: Custom command arguments

Explorer

Hi, the last question, ^_^
My query returns many result, I need to made a request for result.

Thanks!

0 Karma
Highlighted

Re: Custom command arguments

SplunkTrust
SplunkTrust

Here is updated python script

import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
     head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
     url="http://localhost:8088/services/collector/event"
     results = splunk.Intersplunk.getOrganizedResults()
     item = results[0]
     for a in item:
       b = a['host']
       data={"sourcetype": "test", "event": b}
       r = requests.post(url, data=json.dumps(data), headers=head)
except Exception as e:
    splunk.Intersplunk.parseError(e)

If it works then you can upvote my comment.

0 Karma
Highlighted

Re: Custom command arguments

Explorer

I am using r = requests.post(url, data=data2, headers=head), my data is in xml format

0 Karma