Getting Data In

Custom command arguments

alvaro_garcia
Explorer

Hello Splunkers!
I have a custom command, that execute a perl script with argument.
Script.pl
//////////////

!/usr/bin/perl

use strict;
use warnings;
my $curlResponseCode = curl -v -H "Content-Type: application/xml" -X POST -H "X-X-API-Key: f2c3a693ef31HHHH7b2a294f0f9e5b84413" -d "<AAA><BBBB>AAA</BBBB><CCCC>50</CCCC><VVVV>$ARGV[0]</VVVV></AAAA>" "http://www.URL.com/test.xml";
///////////////////////
Commands.conf
[myscript]
type=perl
filename = script.pl

This script writes in corporate web site information.
I execute perl script.pl test, the script work fine.
I use the following search:
index=XXX
| stats count by field1
| script myscript field1
I need the value of field1, no the string field1.
I tried with ‘field1’, ‘$field1’ …. And any combination that I imagine
Any idea?
Thnks!

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

I have created below sample script in python which finds hostname from output and ingest data into splunk using HTTP Event Collector

test.py

import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
     head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
     url="http://localhost:8088/services/collector/event"
     results = splunk.Intersplunk.getOrganizedResults()
     item = results[0]
     for a in item:
          b = a['host']
     data={"sourcetype": "test", "event": b}
     r = requests.post(url, data=json.dumps(data), headers=head)
except Exception, e:
    splunk.Intersplunk.parseError(e)

commands.conf

[testcommand]
filename = test.py
local = true
supports_rawargs = false

Splunk query which I am running

index=_internal | stats count by host | testcommand

I hope this helps to create your own script based on your requirement.

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

I have created below sample script in python which finds hostname from output and ingest data into splunk using HTTP Event Collector

test.py

import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
     head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
     url="http://localhost:8088/services/collector/event"
     results = splunk.Intersplunk.getOrganizedResults()
     item = results[0]
     for a in item:
          b = a['host']
     data={"sourcetype": "test", "event": b}
     r = requests.post(url, data=json.dumps(data), headers=head)
except Exception, e:
    splunk.Intersplunk.parseError(e)

commands.conf

[testcommand]
filename = test.py
local = true
supports_rawargs = false

Splunk query which I am running

index=_internal | stats count by host | testcommand

I hope this helps to create your own script based on your requirement.

0 Karma

alvaro_garcia
Explorer

Hello, thanks work fine!!
Thnks a lot.
Only a appreciation I need to change except Exception, e: to except Exception as e:

0 Karma

alvaro_garcia
Explorer

harsmarvania57 post as answer, and I set as correct

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Glad to hear that it worked, I have converted my comment as answer please accept and upvote it.

0 Karma

alvaro_garcia
Explorer

Hi, the last question, ^_^
My query returns many result, I need to made a request for result.

Thanks!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Here is updated python script

import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
     head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
     url="http://localhost:8088/services/collector/event"
     results = splunk.Intersplunk.getOrganizedResults()
     item = results[0]
     for a in item:
       b = a['host']
       data={"sourcetype": "test", "event": b}
       r = requests.post(url, data=json.dumps(data), headers=head)
except Exception as e:
    splunk.Intersplunk.parseError(e)

If it works then you can upvote my comment.

0 Karma

alvaro_garcia
Explorer

I am using r = requests.post(url, data=data2, headers=head), my data is in xml format

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Which value are you fetching from Splunk output url or data2 ? If you can paste your script here then it will be helpful.

0 Karma

alvaro_garcia
Explorer

!/usr/bin/env python

import requests,sys,splunk.Intersplunk
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
head={"X-API-Key": "bca3cd217870968ddd4a6a2", "Content-Type": "application/xml"}
url="https://mydomain/host"

  results = splunk.Intersplunk.getOrganizedResults()
  item = results[0]
  for a in item:
                  AA = a['AA']
                 BB = a['tBB']
                  data2="<field1><field2>2</field2><field3>"+ AA +"</field3><field4>"+ BB +"</field4></field1>"
                  r = requests.post(url, data=data2, headers=head)

except Exception as e:
splunk.Intersplunk.parseError(e)

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

When you run above script what problem are you facing? and can you please remove !/usr/bin/env python from your script because splunk will use inbuilt python.

0 Karma

alvaro_garcia
Explorer

ok, thanks right, I remove the !/usr/bin/env python

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Answer given on this question might help you https://answers.splunk.com/answers/385936/unable-to-execute-python-script-could-be-splunk-li.html but they are for python, you need to modify your perl script accordingly and give it a try.

0 Karma

alvaro_garcia
Explorer

I adapted my perl script to python:

import requests,sys,splunk.Intersplunk
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
argument1 = argvals.get("field1")
print argument1
url= "http://www.XXXXXcom/AAA.xml"
headers = {'API-Key': 'f2c3a693esb2ad02f0f9e5b84413',
'Content-Type': 'application/xml'}
data = "% (argument1)"
r = requests.post(url, data=data, headers=headers)

But my problem now is how to pass the value of search field to argument1, i tried:
https://answers.splunk.com/answers/409554/how-to-pass-hostname-to-a-custom-alert-script.html and others. But I not an expert in python

Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...