Splunk Dev

creating splunk search in python script

thambisetty
SplunkTrust
SplunkTrust

Hi Splunk,

I am trying to create splunk search in my python script where the script is being used to create HPSM ticket.

I have created HPSM action and added to correlation search adaptive response action and this executes python script and I need to find event_id for orig_sid (sid from splunk statndard input) before creating ticket and need to add event_id in request to create HPSM ticket. using this I have created method in the same script to run search to get event id for the same sid. search is returning void. if I run method in different python script its working fine.

Here is my method which will create search in splunk(used both create and export)

def run_search(sid):
        logger.debug("Entered with sid '%s'",sid)
        #sid='scheduler_s785863SplunkEnterpriseSecuritySuite_RMD53eff93817270d051_at_1511794860_96'
        sid=sid
        #kwargs_export = {"earliest_time": "-24h","latest_time": "now","search_mode": "normal","output_mode":"json"}
        searchquery_export = "search `notable`| search orig_sid=" + sid + " | table event_id"
        logger.debug("Search Query '%s'",searchquery_export)
        service = client.connect(username="splunk", password="********")
        logger.debug("Service connect %s",service)
        #time.sleep(60)
        #exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export)
        job = service.jobs.create(searchquery_export,
{"exec_mode": "blocking"})
        logger.debug("Inner job SID '%s'", job)
        result_stream = job.results()
        reader = results.ResultsReader(result_stream)
        for item in reader:
                logger.debug("Inner job Results '%s'", item)
        #query_results = exportsearch_results.read()
        #logger.debug("Notable Result '%s'", query_results )
        #return query_results
If I use static sid , its working .

Please help me out.
Thanks in advance.

————————————
If this helps, give a like below.
0 Karma

hardikJsheth
Motivator

Try surrounding sid with quotes
i.e

searchquery_export = "search `notable`| search orig_sid=\"" + sid + "\" | table event_id"

I use searchAll/searchOne method of Splunk for executing search from python script which is easier compare to creating job. Sharing it for your reference.

import splunk.search as splunkSearch

labels = splunkSearch.searchAll('| inputlookup abc_workload_mapping_lookup | search workload_d="%s" hostname = "*" | dedup type | table href type' % workload_uuid, sessionKey=session_key, namespace=app_name, owner='nobody')
    labelsList = []
0 Karma

thambisetty
SplunkTrust
SplunkTrust

Thanks for your answer.

How did you get the session key?

————————————
If this helps, give a like below.
0 Karma

hardikJsheth
Motivator

If it's python script, you need to set "passAuth" varriable in inputs.conf.

passAuth = splunk-system-user

Splunk will pass session key as argument to your python script which can be accessed with following line.

sessionKey = sys.stdin.readline().strip()

In case it's AR action, you can access it from modaction.session_key.

0 Karma

hardikJsheth
Motivator

@thambisetty did you resolve your problem? It will be helpful for all if you can provide your solution here .

0 Karma

thambisetty
SplunkTrust
SplunkTrust

script is working. when I run it separately, but when i include this in the script its not working.

what i have observed so far:
I have created two python files 1. adaptive response which will take the payload from notable event and create ticket in HPSM. 2. while updating the ticket the ticket I need to get event_id by running search against notable with filter orig_sid.
I am calling 2nd script from first script main function. and the second script is being called with the orig_id parameter and giving job_id in logging but not giving results. this is where I got stuck up.

if I run second script alone by passing static values its working fine.

please let me know your experiences if you guys have already seen this before.

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...