Hi Splunk,
I am trying to create splunk search in my python script where the script is being used to create HPSM ticket.
I have created HPSM action and added to correlation search adaptive response action and this executes python script and I need to find event_id for orig_sid (sid from splunk statndard input) before creating ticket and need to add event_id in request to create HPSM ticket. using this I have created method in the same script to run search to get event id for the same sid. search is returning void. if I run method in different python script its working fine.
Here is my method which will create search in splunk(used both create and export)
def run_search(sid):
logger.debug("Entered with sid '%s'",sid)
#sid='scheduler_s785863SplunkEnterpriseSecuritySuite_RMD53eff93817270d051_at_1511794860_96'
sid=sid
#kwargs_export = {"earliest_time": "-24h","latest_time": "now","search_mode": "normal","output_mode":"json"}
searchquery_export = "search `notable`| search orig_sid=" + sid + " | table event_id"
logger.debug("Search Query '%s'",searchquery_export)
service = client.connect(username="splunk", password="********")
logger.debug("Service connect %s",service)
#time.sleep(60)
#exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export)
job = service.jobs.create(searchquery_export,{"exec_mode": "blocking"})
logger.debug("Inner job SID '%s'", job)
result_stream = job.results()
reader = results.ResultsReader(result_stream)
for item in reader:
logger.debug("Inner job Results '%s'", item)
#query_results = exportsearch_results.read()
#logger.debug("Notable Result '%s'", query_results )
#return query_results
If I use static sid , its working .
Please help me out.
Thanks in advance.
Try surrounding sid with quotes
i.e
searchquery_export = "search `notable`| search orig_sid=\"" + sid + "\" | table event_id"
I use searchAll/searchOne method of Splunk for executing search from python script which is easier compare to creating job. Sharing it for your reference.
import splunk.search as splunkSearch
labels = splunkSearch.searchAll('| inputlookup abc_workload_mapping_lookup | search workload_d="%s" hostname = "*" | dedup type | table href type' % workload_uuid, sessionKey=session_key, namespace=app_name, owner='nobody')
labelsList = []
Thanks for your answer.
How did you get the session key?
If it's python script, you need to set "passAuth" varriable in inputs.conf.
passAuth = splunk-system-user
Splunk will pass session key as argument to your python script which can be accessed with following line.
sessionKey = sys.stdin.readline().strip()
In case it's AR action, you can access it from modaction.session_key.
@thambisetty did you resolve your problem? It will be helpful for all if you can provide your solution here .
script is working. when I run it separately, but when i include this in the script its not working.
what i have observed so far:
I have created two python files 1. adaptive response which will take the payload from notable event and create ticket in HPSM. 2. while updating the ticket the ticket I need to get event_id by running search against notable with filter orig_sid.
I am calling 2nd script from first script main function. and the second script is being called with the orig_id parameter and giving job_id in logging but not giving results. this is where I got stuck up.
if I run second script alone by passing static values its working fine.
please let me know your experiences if you guys have already seen this before.