Developing for Splunk Enterprise

How to use python library in Splunk?

Contributor

I know there is documentation, however, can someone give a simple example (with steps) for installing/using a python module from the native python library in Splunk? If it is not native please example how to install it into SPL v 6.2.3

Any explanation how to get started with python in Splunk is appreciated.

Thank you

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Generally speaking, you write a Python script that performs the needed functions and place it in your app's 'bin' directory. The script is then invoked either by a custom search command. See http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Aboutcustomsearchcommands.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Explorer

Hello, I was the same problem with Mysql module that I was install on my Centos server

Splunk didn't work with this library, because splunk has they own python library...then you can fix it only added on the begin your script all libraries of python and also you must to add the python Centos library too... as this way

Find python packages

[root@xxxx]#find / -name site-packages
/usr/lib/python2.7/site-packages
/usr/lib64/python2.7/site-packages
/opt/splunk/etc/apps/SplunkSAScientificPythonlinuxx8664/bin/linuxx8664/lib/python2.7/site-packages
/opt/splunk/lib/python2.7/site-packages

Find python binary

[root@xxxx]# whereis python
python: /usr/bin/python2.7 /usr/bin/python /usr/lib/python2.7 /usr/lib64/python2.7 /etc/python /usr/include/python2.7 /opt/splunk/bin/python /opt/splunk/bin/python2.7 /usr/share/man/man1/python.1.gz

include all at begin your script

import sys
sys.path.append('/usr/bin/python2.7')
sys.path.append('/usr/lib/python2.7/site-packages')
sys.path.append('/usr/lib64/python2.7/site-packages')

And that's it , you can run mysql module without any problem and create your alerts with this module.

Mysql Connection

import mysql.connector

I hope that this fix will help you
Joel Urtubia Ugarte

0 Karma

SplunkTrust
SplunkTrust

Generally speaking, you write a Python script that performs the needed functions and place it in your app's 'bin' directory. The script is then invoked either by a custom search command. See http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Aboutcustomsearchcommands.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Contributor

Hi Rich, I don't have an option to accept your answer. If your comment an answer then I will accept it. Thanks

0 Karma

Contributor

That makes sense. Thank you

0 Karma

SplunkTrust
SplunkTrust

Python is built-in to Splunk so no installation is required. What do you want to do with Python? Are you creating a scripted input or something else?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Contributor

Scenario: I need to look at all incoming email domains (e.g. sender@domain.tld) and compare them to a white list of domains to see if the new arrivals are typo-squatting, fuzzing, etc. (e.g. sender@domaininc.tld). I am not looking for exact matches but permutations of the white list.

I have tried "cluster" but it slows the search to a crawl. Therefore I was thinking of using some python scripts to do some of the heavy lifting (comparing). Maybe I am off track...

If you have any suggestions please let me know.

Of course, I am also interested in using python for other SPL enhancements as well.

Thank you

0 Karma