How to pass values (dynamically derived from event...

nikkkc · ‎02-18-2016

Can I pass values (dynamically derived from event) to a Python script as command line arguments, do some magic in the script, and pass the new values back to Splunk? isp.outputResults(results)?

I tried this, but in the script, the argument is interpreted like a string. I mean the script knows just the name of the string, not the value!

MuS · ‎02-18-2016

Hi nikkkc,

take a look at the docs http://docs.splunk.com/Documentation/Splunk/6.2.8/AdvancedDev/SearchScripts#Build_your_search_comman... to learn more about this topic. The important part is to import splunk.Intersplunk in your Python script, so the script can receive the results of the Splunk search and process them.

Here is an example of a script I use:

myresults,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() # getting search results form Splunk
for r in myresults: # loop the results
    for k, v in r.items(): # get key value pairs for each result
        if k == "server": # get key
            section_name = v # set value

This will check the results passed by Splunk for a field called server and if found it uses its value.
At the end of the script it will return the output back to Splunk using this line:

 splunk.Intersplunk.outputResults(results) # print the result into Splunk UI

Hope this helps ...

cheers, MuS

aab5272 · ‎07-13-2017

@MuS I used the same
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
to grab the events from search results but it doesnt work ?

any ideas ?

How to pass values (dynamically derived from event) to a Python script as command line arguments?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms