Splunk Dev

Whats the point of Custom Python scripts?

Dark_Ichigo
Builder

Whats the point of creating a custom script in python for Splunk?
I read that you can use it to handle your Splunk search results, but you can already do that via the browser Interface, What else can you do?

If this is beneficial, where can I find tutorials to help write python scripts for Splunk?
by the way, I already know how to program in python.

0 Karma
1 Solution

mw
Splunk Employee
Splunk Employee

We're talking about 2 different cases where you could write a script. The first, when you need to gather data from somewhere that doesn't have a logfile, you use a "scripted input". That scripted input would be run on an interval, as specified in inputs.conf (i.e. the script provides "input"/data to Splunk).

# inputs.conf
[script://./bin/myscript.sh]
interval = 300
source = myscript
sourcetype = myscript

With that definition, myscript.sh will run every 5 minutes, and whatever data it prints out will be indexed within Splunk -- as OL said, it's nice for getting data from databases and APIs, etc.

Now, the second case is when you find that you need an extra feature within the search language that doesn't exist already (e.g. I want to add geolocation data to my events), or is possibly too challenging using standard search commands. You create a script (these scripts must make calls to Splunk APIs) and a corresponding commands.conf entry:

[geoip]
filename = geoipcmd.py
streaming = true
supports_getinfo=true
maxinputs = 0

This new command is then available in your searches:

sourcetype=firewall src_ip=* | geoip src_ip

View solution in original post

mw
Splunk Employee
Splunk Employee

We're talking about 2 different cases where you could write a script. The first, when you need to gather data from somewhere that doesn't have a logfile, you use a "scripted input". That scripted input would be run on an interval, as specified in inputs.conf (i.e. the script provides "input"/data to Splunk).

# inputs.conf
[script://./bin/myscript.sh]
interval = 300
source = myscript
sourcetype = myscript

With that definition, myscript.sh will run every 5 minutes, and whatever data it prints out will be indexed within Splunk -- as OL said, it's nice for getting data from databases and APIs, etc.

Now, the second case is when you find that you need an extra feature within the search language that doesn't exist already (e.g. I want to add geolocation data to my events), or is possibly too challenging using standard search commands. You create a script (these scripts must make calls to Splunk APIs) and a corresponding commands.conf entry:

[geoip]
filename = geoipcmd.py
streaming = true
supports_getinfo=true
maxinputs = 0

This new command is then available in your searches:

sourcetype=firewall src_ip=* | geoip src_ip

Dark_Ichigo
Builder

-Thanks a Bunch mw, but after Iv added my script to the input.cong file How do I search for it?

My Script is a MySql Query script from a Solaris Host, do I have to add this to the input.conf or am I good to go?

-So your saying that Python and Perl Scripts are only used if I were to add a new Search feature to Splunk?

-Does Splunk support Python 3.1?

0 Karma

OL
Communicator

Hi,

If you are talking about python scripts at index time, this is a great feature when Splunk are not able to get the data such as database or application API. You can find lots of information about this on http://www.splunk.com/base/Documentation/4.2.1/Developer/ScriptSetup (replace the 4.2.1 with the latest release version or the one you are using)

If you are talking about the python search command, an idea could be that you could use it when creating a python scripted input and you want to change the input data according to the data already indexed in Splunk. For more information about python search command, have a look at: http://www.splunk.com/base/Documentation/4.2.1/SearchReference/WriteaPythonsearchcommand

You want to search into Splunk using Python and integrate the result in your third-party application, I would suggest to have a look at the REST API that you will find in teh documentation section.

Hope it helps.

Regards,
Olivier

sideview
SplunkTrust
SplunkTrust

you run the script by piping your search results to the google command. eg "foo host=bar | google"

0 Karma

Dark_Ichigo
Builder

Thanks, but Do I really need to have a key file and a Wrapper Script?, What files are Mandatory needed? I am currently trying to run the google.py which is a default script I found in the Search/bin Directory, in order to output the results in an output-file to search it via Splunk, My question is after adding the details to the input.conf and commands.conf, How do you actually run the Script?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...