Archive

Where to place common python libraries

New Member

I have multiple alert actions in Python. I am trying to have the modalert helper for each action to load a common library, which I would like to place in this package. I do not know where is the appropriate location within the package directory structure to place such a library.

0 Karma

New Member

I created the directory you stated:

$SPLUNK_HOME/etc/apps/your_app_name/bin/lib

I then created:

$SPLUNK_HOME/etc/apps/your_app_name/bin/commands.conf.  

Inside I added:

# type of script: 'python', 'perl'
 TYPE = python

# is command streamable?
streaming = false

# maximum data that can be passed to command (0 = no limit)
maxinputs = 50000

[test_sdk]
filename = test_sdk.py

In bin/lib I have an init.py file and test_sdk.py

[root@splunk lib]# ls -l
total 0
-rw-r--r--. 1 root root 0 Mar 11 12:01 __init__.py
-rw-r--r--. 1 root root 0 Mar 11 12:00 test_sdk.py

In $SPLUNKHOME/etc/apps/yourappname/bin/taadaptiveresponse/, I have "modalertblacklistblockhelper.py". This file has "import testsdk".

When I run a test, it still can't import test_sdk. Any ideas?

0 Karma

Influencer

Two things I can see right away:

1 - The commands.conf is a conf file and must be placed under $SPLUNKHOME/etc/apps/yourappname/local or $SPLUNKHOME/etc/apps/yourappname/default, so move it to either of the directories.

2 - The test you are performing, "import test_sdk", I suggest you first try it by using this:

Go to the $SPLUNKHOME/etc/apps/yourappname/bin/ (**where testsdk.py must be**)

Then try executing this for test:
$SPLUNKHOME/bin/splunk cmd python testsdk.py

If it still doesn't work, you need to append new directories for which python will search for modules to import, adding this to your modalertblacklistblockhelper.py (before the import testsdk)

import os, stat
import sys

dir = os.path.join(os.path.join(os.environ.get('SPLUNK_HOME')), 'etc', 'apps', 'your_app_name', 'bin','lib')
if not dir in sys.path:
    sys.path.append(dir)

And finally, I am not aware of the structure of having a TA inside an a Splunk App, I've never seen that before anywhere honestly, I can't judge that

0 Karma

Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma

New Member

Have you seen this documented anywhere? As I look at other AR apps, I never see this. I trust you are correct, so let me give this a try.

0 Karma

Influencer

What do you mean AR app?

0 Karma

New Member

Adaptive Response

0 Karma

Influencer

Well I believe they work the same way though.

Let me know if they don't 🙂

0 Karma

New Member

I just posted a more details msg here. It is pending moderator approval.

0 Karma

Influencer

Any python library you want to add should be in:

$SPLUNKHOME/etc/apps/yourapp_name/bin/lib

Remember that in the lib folder, the sub-folders containing the py library must contain file init.py

Let me know if solved your question and if so, please accept the answer for future queries

0 Karma

New Member

How can I make it part of the AR app itself? This would be more of a helper function vs. a proper library. When using the app builder, the bin/ directory has many mainstream libs. I would like to embed it in a similar fashion, for all my actions. I just don't know what is the proper location to pass validation. Thanks.

0 Karma

Influencer

Well if you put it in the app folder, under /bin/lib/ (not under /bin) then it is part of the app.
That's it!

If you are planning to create an custom command in Splunk with the python library, you also need to configure commands.conf in that same app you put the python library. The python script that the command would call should be in the app folder, under /bin

0 Karma