Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Custom command arguments
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers!
I have a custom command, that execute a perl script with argument.
Script.pl
//////////////
!/usr/bin/perl
use strict;
use warnings;
my $curlResponseCode = curl -v -H "Content-Type: application/xml" -X POST -H "X-X-API-Key: f2c3a693ef31HHHH7b2a294f0f9e5b84413" -d "<AAA><BBBB>AAA</BBBB><CCCC>50</CCCC><VVVV>$ARGV[0]</VVVV></AAAA>" "http://www.URL.com/test.xml";
///////////////////////
Commands.conf
[myscript]
type=perl
filename = script.pl
This script writes in corporate web site information.
I execute perl script.pl test, the script work fine.
I use the following search:
index=XXX
| stats count by field1
| script myscript field1
I need the value of field1, no the string field1.
I tried with ‘field1’, ‘$field1’ …. And any combination that I imagine
Any idea?
Thnks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have created below sample script in python which finds hostname from output and ingest data into splunk using HTTP Event Collector
test.py
import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
try:
head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
url="http://localhost:8088/services/collector/event"
results = splunk.Intersplunk.getOrganizedResults()
item = results[0]
for a in item:
b = a['host']
data={"sourcetype": "test", "event": b}
r = requests.post(url, data=json.dumps(data), headers=head)
except Exception, e:
splunk.Intersplunk.parseError(e)
commands.conf
[testcommand]
filename = test.py
local = true
supports_rawargs = false
Splunk query which I am running
index=_internal | stats count by host | testcommand
I hope this helps to create your own script based on your requirement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have created below sample script in python which finds hostname from output and ingest data into splunk using HTTP Event Collector
test.py
import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
try:
head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
url="http://localhost:8088/services/collector/event"
results = splunk.Intersplunk.getOrganizedResults()
item = results[0]
for a in item:
b = a['host']
data={"sourcetype": "test", "event": b}
r = requests.post(url, data=json.dumps(data), headers=head)
except Exception, e:
splunk.Intersplunk.parseError(e)
commands.conf
[testcommand]
filename = test.py
local = true
supports_rawargs = false
Splunk query which I am running
index=_internal | stats count by host | testcommand
I hope this helps to create your own script based on your requirement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, thanks work fine!!
Thnks a lot.
Only a appreciation I need to change except Exception, e: to except Exception as e:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57 post as answer, and I set as correct
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to hear that it worked, I have converted my comment as answer please accept and upvote it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, the last question, ^_^
My query returns many result, I need to made a request for result.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is updated python script
import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
try:
head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
url="http://localhost:8088/services/collector/event"
results = splunk.Intersplunk.getOrganizedResults()
item = results[0]
for a in item:
b = a['host']
data={"sourcetype": "test", "event": b}
r = requests.post(url, data=json.dumps(data), headers=head)
except Exception as e:
splunk.Intersplunk.parseError(e)
If it works then you can upvote my comment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using r = requests.post(url, data=data2, headers=head), my data is in xml format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which value are you fetching from Splunk output url or data2 ? If you can paste your script here then it will be helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
!/usr/bin/env python
import requests,sys,splunk.Intersplunk
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
try:
head={"X-API-Key": "bca3cd217870968ddd4a6a2", "Content-Type": "application/xml"}
url="https://mydomain/host"
results = splunk.Intersplunk.getOrganizedResults()
item = results[0]
for a in item:
AA = a['AA']
BB = a['tBB']
data2="<field1><field2>2</field2><field3>"+ AA +"</field3><field4>"+ BB +"</field4></field1>"
r = requests.post(url, data=data2, headers=head)
except Exception as e:
splunk.Intersplunk.parseError(e)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you run above script what problem are you facing? and can you please remove !/usr/bin/env python from your script because splunk will use inbuilt python.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, thanks right, I remove the !/usr/bin/env python
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Answer given on this question might help you https://answers.splunk.com/answers/385936/unable-to-execute-python-script-could-be-splunk-li.html but they are for python, you need to modify your perl script accordingly and give it a try.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I adapted my perl script to python:
import requests,sys,splunk.Intersplunk
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
argument1 = argvals.get("field1")
print argument1
url= "http://www.XXXXXcom/AAA.xml"
headers = {'API-Key': 'f2c3a693esb2ad02f0f9e5b84413',
'Content-Type': 'application/xml'}
data = "% (argument1)"
r = requests.post(url, data=data, headers=headers)
But my problem now is how to pass the value of search field to argument1, i tried:
https://answers.splunk.com/answers/409554/how-to-pass-hostname-to-a-custom-alert-script.html and others. But I not an expert in python
Thanks
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
