Solved: How to use python library in Splunk?

packet_hunter · ‎02-11-2016

I know there is documentation, however, can someone give a simple example (with steps) for installing/using a python module from the native python library in Splunk? If it is not native please example how to install it into SPL v 6.2.3

Any explanation how to get started with python in Splunk is appreciated.

Thank you

richgalloway · ‎02-11-2016

Generally speaking, you write a Python script that performs the needed functions and place it in your app's 'bin' directory. The script is then invoked either by a custom search command. See http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Aboutcustomsearchcommands.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

joelurtubia · ‎11-02-2017

Hello, I was the same problem with Mysql module that I was install on my Centos server

Splunk didn't work with this library, because splunk has they own python library...then you can fix it only added on the begin your script all libraries of python and also you must to add the python Centos library too... as this way

Find python packages

[root@xxxx]#find / -name site-packages
/usr/lib/python2.7/site-packages
/usr/lib64/python2.7/site-packages
/opt/splunk/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages
/opt/splunk/lib/python2.7/site-packages

Find python binary

[root@xxxx]# whereis python
python: /usr/bin/python2.7 /usr/bin/python /usr/lib/python2.7 /usr/lib64/python2.7 /etc/python /usr/include/python2.7 /opt/splunk/bin/python /opt/splunk/bin/python2.7 /usr/share/man/man1/python.1.gz

include all at begin your script

import sys
sys.path.append('/usr/bin/python2.7')
sys.path.append('/usr/lib/python2.7/site-packages')
sys.path.append('/usr/lib64/python2.7/site-packages')

And that's it , you can run mysql module without any problem and create your alerts with this module.

Mysql Connection

import mysql.connector

I hope that this fix will help you
Joel Urtubia Ugarte

richgalloway · ‎02-11-2016

Generally speaking, you write a Python script that performs the needed functions and place it in your app's 'bin' directory. The script is then invoked either by a custom search command. See http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Aboutcustomsearchcommands.

---
If this reply helps you, Karma would be appreciated.

packet_hunter · ‎02-18-2016

Hi Rich, I don't have an option to accept your answer. If your comment an answer then I will accept it. Thanks

packet_hunter · ‎02-11-2016

That makes sense. Thank you

richgalloway · ‎02-11-2016

Python is built-in to Splunk so no installation is required. What do you want to do with Python? Are you creating a scripted input or something else?

---
If this reply helps you, Karma would be appreciated.

packet_hunter · ‎02-11-2016

Scenario: I need to look at all incoming email domains (e.g. sender@domain.tld) and compare them to a white list of domains to see if the new arrivals are typo-squatting, fuzzing, etc. (e.g. sender@domaininc.tld). I am not looking for exact matches but permutations of the white list.

I have tried "cluster" but it slows the search to a crawl. Therefore I was thinking of using some python scripts to do some of the heavy lifting (comparing). Maybe I am off track...

If you have any suggestions please let me know.

Of course, I am also interested in using python for other SPL enhancements as well.

Thank you

How to use python library in Splunk?

Find python packages

Find python binary

Mysql Connection

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies