Getting Data In

Custom command arguments

alvaro_garcia
Explorer

Hello Splunkers!
I have a custom command, that execute a perl script with argument.
Script.pl
//////////////

!/usr/bin/perl

use strict;
use warnings;
my $curlResponseCode = curl -v -H "Content-Type: application/xml" -X POST -H "X-X-API-Key: f2c3a693ef31HHHH7b2a294f0f9e5b84413" -d "<AAA><BBBB>AAA</BBBB><CCCC>50</CCCC><VVVV>$ARGV[0]</VVVV></AAAA>" "http://www.URL.com/test.xml";
///////////////////////
Commands.conf
[myscript]
type=perl
filename = script.pl

This script writes in corporate web site information.
I execute perl script.pl test, the script work fine.
I use the following search:
index=XXX
| stats count by field1
| script myscript field1
I need the value of field1, no the string field1.
I tried with ‘field1’, ‘$field1’ …. And any combination that I imagine
Any idea?
Thnks!

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

I have created below sample script in python which finds hostname from output and ingest data into splunk using HTTP Event Collector

test.py

import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
     head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
     url="http://localhost:8088/services/collector/event"
     results = splunk.Intersplunk.getOrganizedResults()
     item = results[0]
     for a in item:
          b = a['host']
     data={"sourcetype": "test", "event": b}
     r = requests.post(url, data=json.dumps(data), headers=head)
except Exception, e:
    splunk.Intersplunk.parseError(e)

commands.conf

[testcommand]
filename = test.py
local = true
supports_rawargs = false

Splunk query which I am running

index=_internal | stats count by host | testcommand

I hope this helps to create your own script based on your requirement.

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

I have created below sample script in python which finds hostname from output and ingest data into splunk using HTTP Event Collector

test.py

import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
     head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
     url="http://localhost:8088/services/collector/event"
     results = splunk.Intersplunk.getOrganizedResults()
     item = results[0]
     for a in item:
          b = a['host']
     data={"sourcetype": "test", "event": b}
     r = requests.post(url, data=json.dumps(data), headers=head)
except Exception, e:
    splunk.Intersplunk.parseError(e)

commands.conf

[testcommand]
filename = test.py
local = true
supports_rawargs = false

Splunk query which I am running

index=_internal | stats count by host | testcommand

I hope this helps to create your own script based on your requirement.

0 Karma

alvaro_garcia
Explorer

Hello, thanks work fine!!
Thnks a lot.
Only a appreciation I need to change except Exception, e: to except Exception as e:

0 Karma

alvaro_garcia
Explorer

harsmarvania57 post as answer, and I set as correct

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Glad to hear that it worked, I have converted my comment as answer please accept and upvote it.

0 Karma

alvaro_garcia
Explorer

Hi, the last question, ^_^
My query returns many result, I need to made a request for result.

Thanks!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Here is updated python script

import requests,sys,splunk.Intersplunk,json
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
     head={"Authorization":"Splunk 34b7bbe4-f239-44b5-ba65-61d5bec103af", "Content-Type": "application/json"}
     url="http://localhost:8088/services/collector/event"
     results = splunk.Intersplunk.getOrganizedResults()
     item = results[0]
     for a in item:
       b = a['host']
       data={"sourcetype": "test", "event": b}
       r = requests.post(url, data=json.dumps(data), headers=head)
except Exception as e:
    splunk.Intersplunk.parseError(e)

If it works then you can upvote my comment.

0 Karma

alvaro_garcia
Explorer

I am using r = requests.post(url, data=data2, headers=head), my data is in xml format

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Which value are you fetching from Splunk output url or data2 ? If you can paste your script here then it will be helpful.

0 Karma

alvaro_garcia
Explorer

!/usr/bin/env python

import requests,sys,splunk.Intersplunk
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()

try:
head={"X-API-Key": "bca3cd217870968ddd4a6a2", "Content-Type": "application/xml"}
url="https://mydomain/host"

  results = splunk.Intersplunk.getOrganizedResults()
  item = results[0]
  for a in item:
                  AA = a['AA']
                 BB = a['tBB']
                  data2="<field1><field2>2</field2><field3>"+ AA +"</field3><field4>"+ BB +"</field4></field1>"
                  r = requests.post(url, data=data2, headers=head)

except Exception as e:
splunk.Intersplunk.parseError(e)

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

When you run above script what problem are you facing? and can you please remove !/usr/bin/env python from your script because splunk will use inbuilt python.

0 Karma

alvaro_garcia
Explorer

ok, thanks right, I remove the !/usr/bin/env python

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Answer given on this question might help you https://answers.splunk.com/answers/385936/unable-to-execute-python-script-could-be-splunk-li.html but they are for python, you need to modify your perl script accordingly and give it a try.

0 Karma

alvaro_garcia
Explorer

I adapted my perl script to python:

import requests,sys,splunk.Intersplunk
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
argument1 = argvals.get("field1")
print argument1
url= "http://www.XXXXXcom/AAA.xml"
headers = {'API-Key': 'f2c3a693esb2ad02f0f9e5b84413',
'Content-Type': 'application/xml'}
data = "% (argument1)"
r = requests.post(url, data=data, headers=headers)

But my problem now is how to pass the value of search field to argument1, i tried:
https://answers.splunk.com/answers/409554/how-to-pass-hostname-to-a-custom-alert-script.html and others. But I not an expert in python

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...