Developing for Splunk Enterprise

creating splunk search in python script

Champion

Hi Splunk,

I am trying to create splunk search in my python script where the script is being used to create HPSM ticket.

I have created HPSM action and added to correlation search adaptive response action and this executes python script and I need to find event_id for orig_sid (sid from splunk statndard input) before creating ticket and need to add event_id in request to create HPSM ticket. using this I have created method in the same script to run search to get event id for the same sid. search is returning void. if I run method in different python script its working fine.

Here is my method which will create search in splunk(used both create and export)

def run_search(sid):
        logger.debug("Entered with sid '%s'",sid)
        #sid='scheduler_s785863SplunkEnterpriseSecuritySuite_RMD53eff93817270d051_at_1511794860_96'
        sid=sid
        #kwargs_export = {"earliest_time": "-24h","latest_time": "now","search_mode": "normal","output_mode":"json"}
        searchquery_export = "search `notable`| search orig_sid=" + sid + " | table event_id"
        logger.debug("Search Query '%s'",searchquery_export)
        service = client.connect(username="splunk", password="********")
        logger.debug("Service connect %s",service)
        #time.sleep(60)
        #exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export)
        job = service.jobs.create(searchquery_export,
{"exec_mode": "blocking"})
        logger.debug("Inner job SID '%s'", job)
        result_stream = job.results()
        reader = results.ResultsReader(result_stream)
        for item in reader:
                logger.debug("Inner job Results '%s'", item)
        #query_results = exportsearch_results.read()
        #logger.debug("Notable Result '%s'", query_results )
        #return query_results
If I use static sid , its working .

Please help me out.
Thanks in advance.

————————————
If this helps, give a like below.
0 Karma

Motivator

Try surrounding sid with quotes
i.e

searchquery_export = "search `notable`| search orig_sid=\"" + sid + "\" | table event_id"

I use searchAll/searchOne method of Splunk for executing search from python script which is easier compare to creating job. Sharing it for your reference.

import splunk.search as splunkSearch

labels = splunkSearch.searchAll('| inputlookup abc_workload_mapping_lookup | search workload_d="%s" hostname = "*" | dedup type | table href type' % workload_uuid, sessionKey=session_key, namespace=app_name, owner='nobody')
    labelsList = []
0 Karma

Champion

Thanks for your answer.

How did you get the session key?

————————————
If this helps, give a like below.
0 Karma

Motivator

If it's python script, you need to set "passAuth" varriable in inputs.conf.

passAuth = splunk-system-user

Splunk will pass session key as argument to your python script which can be accessed with following line.

sessionKey = sys.stdin.readline().strip()

In case it's AR action, you can access it from modaction.session_key.

0 Karma

Motivator

@thambisetty did you resolve your problem? It will be helpful for all if you can provide your solution here .

0 Karma

Champion

script is working. when I run it separately, but when i include this in the script its not working.

what i have observed so far:
I have created two python files 1. adaptive response which will take the payload from notable event and create ticket in HPSM. 2. while updating the ticket the ticket I need to get event_id by running search against notable with filter orig_sid.
I am calling 2nd script from first script main function. and the second script is being called with the orig_id parameter and giving job_id in logging but not giving results. this is where I got stuck up.

if I run second script alone by passing static values its working fine.

please let me know your experiences if you guys have already seen this before.

————————————
If this helps, give a like below.
0 Karma