Splunk Dev

How do you create a Splunk alert action that sends all results to a Python script?

sboogaar
Path Finder

Im trying to make a simple Python script that uses all the search results at once.

e.g
the search is

index="someindex"

the result is

amount | host

1 | some-host
3 | some-host-2
6 | some-host

I want to be able to get all the results in my Python script.

In my alert_actions.conf, I can use e.g. param.param1 = I can use a token: $result.amount$.

But, this only gives the value for the first row. I want to handle all results at once.

When looking at other alert actions, the Send email action is able to generate a whole table which means the data can be passed.

Can anyone give the most basic example of how to pass ALL the search results to a Python script?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@sboogaar,

When you call a script as part of an alert action, you could use the 8th argument, which is the file name and location in which the results for the search are stored. It contains raw results in gzip file format. So, in your Python script, you could use that file and read the full search result.

See here for e.g. : https://docs.splunk.com/Documentation/Splunk/7.2.0/Alert/Configuringscriptedalerts

and more in https://docs.splunk.com/Documentation/Splunk/7.2.0/AdvancedDev/CustomAlertConvertScripted

Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@sboogaar,

When you call a script as part of an alert action, you could use the 8th argument, which is the file name and location in which the results for the search are stored. It contains raw results in gzip file format. So, in your Python script, you could use that file and read the full search result.

See here for e.g. : https://docs.splunk.com/Documentation/Splunk/7.2.0/Alert/Configuringscriptedalerts

and more in https://docs.splunk.com/Documentation/Splunk/7.2.0/AdvancedDev/CustomAlertConvertScripted

Happy Splunking!

sboogaar
Path Finder

How does one use those result.csv.gz files in python?
I assume other people did it before but I can not find a link to an example or am I overlooking the obvious.
Our Splunk env is running python 2.7.13.
Edit: it is working now with: https://docs.python.org/2.7/library/gzip.html#module-gzip

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

I had done something similar like this to open and read

def open_res_file(file_name):
    if file_name.endswith(".gz"):
        return gzip.open(file_name)
    else
        return open(file_name)

result_reader=csv.reader(open_res_file(file_name))

Once you have the content, loop through that and process the data how you want. Let me know if you need any help

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...