Getting Data In

Best way to implement an external script


We're using Splunk to index events from Bit9 and interact with its API to ban/approve files. We've written a python script that takes a number of command-line switches and values that we want Splunk to be able to run.

I'm unclear if the best approach is to make a custom search command, use "| script..." from the pipeline, or if I should alert off each event and run the script from there.

So if each event has the fields: hostname, host_id, is_installer, approval_type, hash

I want to run something like this for each event:

python Bit9_API -h $host_id$ -i $is_installer$ -a $approval_type$ -H $hash$

What's the smartest way to do this?



Tags (1)

Path Finder

I am having a similar set up where I have integrated a script to accept field values from live streaming events. The whole system integration works just fine. For instance, when I run as , " | script python script-name singleIP " where IP address is that picked from a single event; it works fine.

But my only concern is to automate this for all the events in the selected time range & the field rather than a single value.
I already tried luck with " *| script python script-name $IP$ * ", where IP is the extracted field holding over 2000 IPs.
But script doesn't seem to identify & read values in there then.

I am just bothered if any splunk event streaming input-output APIs I am missing to include in the script before automating this?
Kindly help me to figure the best & optimal path.

0 Karma


Hi Richa ,

Any luck with " | script python script-name $IP$ " . Did you get any alternative for this ?

I have a similar requirement and came across this post

0 Karma


Neither way is really any smarter than the other. Instead it depends on which direction you want to go, and which kind of custom python you want to maintain - python code that is run only when one or more alerts fire, or code that can be run in any search and happens to be used in some particular scheduled searches.

That said, if we're talking about a very large number of events in the tens of thousands or higher, I think it's probably best to do it as a streaming search command. I'm not sure if scripts that run on alerts are even given the entire set of events - my suspicion is that it is capped at something like 10K or 50K.

And even if it wasn't a particularly high number of events, unless there was some other reason against the search command direction, I'd probably go that way just cause it's more open and in the long run leads to you having to learn a more powerful and generally useful kind of customization.


They would all be field values coming from each incoming event.

0 Karma


Are some or all of those $foo$ tokens representing values that would be field values in each of the incoming events?

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...