Getting Data In

How do I alter props.conf via Python SDK?

tqi_raurora
Engager

I can alter props.conf via the REST API using the following request:

curl -k -u admin:password https://localhost:8089/servicesNS/nobody/search/configs/conf-props -d name=source::/logs/mylog.log -d TRANSFORMS-null=setnull

This will add the following stanza to props.conf:

[source::/logs/mylog.log]
TRANSFORMS-null = setnull

However, is there a way I can get the same results using the Python SDK?

0 Karma
1 Solution

harsmarvania57
Ultra Champion

Hi @tqi_raurora,

You can use below python sdk script to create and modify props stanza. I am strongly recommending to test this script in Test environment first.

Let's say script name is test_props_sdk.py

import sys
sys.path.append('splunk-sdk-python-1.6.4')
import splunklib.six as six
import urllib
from xml.etree import ElementTree
import getpass
import json

HOST = raw_input("Enter splunk server hostname/ip: ")
PORT = 8089
splunkUser = raw_input("Enter Splunk Admin Username: ")
splunkPassword = getpass.getpass("Enter Splunk Admin Password: ")
ce_param = raw_input("Create or Modify props: ")
if ce_param == 'Modify':
    stanza_name = raw_input("Enter props stanza name: ")
    stanza_encoded = urllib.quote_plus(stanza_name)
props_param = raw_input("Props parameter in json format: ")

connection = six.moves.http_client.HTTPSConnection(HOST, PORT)
body = urllib.urlencode({'username': splunkUser, 'password': splunkPassword})
headers = {'Content-Type': "application/x-www-form-urlencoded",
           'Host': HOST
          }

connection.request("POST", "/services/auth/login", body, headers)
response = connection.getresponse()
content = response.read()
connection.close()

session_key = ElementTree.XML(content).findtext("./sessionKey")

connection = six.moves.http_client.HTTPSConnection(HOST, PORT)
headers = {'Content-Type': "application/x-www-form-urlencoded",
           'Host': HOST,
           'Authorization': "Splunk %s" % session_key
          }

body =  urllib.urlencode(json.loads(props_param))

if ce_param == 'Create':
    connection.request("POST", "/servicesNS/nobody/search/configs/conf-props/" , body, headers)
elif ce_param == 'Modify':
    connection.request("POST", "/servicesNS/nobody/search/configs/conf-props/" + stanza_encoded, body, headers)
else:
    print("Please provide correct input")
    sys.exit(1)

response = connection.getresponse()
content = response.read()
connection.close()

print content

If you would like to create new props stanza, script will prompt for many parameters as below (Make sure to use double quotes while passing value in JSON format otherwise script will fail)

$ python test_props_sdk.py
Enter splunk server hostname/ip: SERVERNAME
Enter Splunk Admin Username: admin
Enter Splunk Admin Password:
Create or Modify props: Create
Props parameter in json format: {"name": "source::/log/mylog.log", "TRANSFORMS-null": "setnull"}

And if you would like to modify existing props stanza, script will prompt for many parameters as below (Make sure to use double quotes while passing value in JSON format otherwise script will fail)

$ python test_props_sdk.py
Enter splunk server hostname/ip: SERVERNAME
Enter Splunk Admin Username: admin
Enter Splunk Admin Password:
Create or Modify props: Modify
Enter props stanza name: source::/log/mylog.log
Props parameter in json format: {"TRANSFORMS-null": "setnull123"}

I hope this helps.

Thanks,
Harshil

View solution in original post

tqi_raurora
Engager

A simple way would be using the client module: http://dev.splunk.com/python#client

from splunklib.client import connect

print('connecting...')

service = connect(
    host='localhost',
    port='8089',
    username='admin',
    password='password'
)

print('connected!')

service.confs['props'].create(
    'source::/logs/mylog.log'
).submit(
    {'TRANSFORMS-null': 'setnull'}
)
0 Karma

harsmarvania57
Ultra Champion

Hi @tqi_raurora,

You can use below python sdk script to create and modify props stanza. I am strongly recommending to test this script in Test environment first.

Let's say script name is test_props_sdk.py

import sys
sys.path.append('splunk-sdk-python-1.6.4')
import splunklib.six as six
import urllib
from xml.etree import ElementTree
import getpass
import json

HOST = raw_input("Enter splunk server hostname/ip: ")
PORT = 8089
splunkUser = raw_input("Enter Splunk Admin Username: ")
splunkPassword = getpass.getpass("Enter Splunk Admin Password: ")
ce_param = raw_input("Create or Modify props: ")
if ce_param == 'Modify':
    stanza_name = raw_input("Enter props stanza name: ")
    stanza_encoded = urllib.quote_plus(stanza_name)
props_param = raw_input("Props parameter in json format: ")

connection = six.moves.http_client.HTTPSConnection(HOST, PORT)
body = urllib.urlencode({'username': splunkUser, 'password': splunkPassword})
headers = {'Content-Type': "application/x-www-form-urlencoded",
           'Host': HOST
          }

connection.request("POST", "/services/auth/login", body, headers)
response = connection.getresponse()
content = response.read()
connection.close()

session_key = ElementTree.XML(content).findtext("./sessionKey")

connection = six.moves.http_client.HTTPSConnection(HOST, PORT)
headers = {'Content-Type': "application/x-www-form-urlencoded",
           'Host': HOST,
           'Authorization': "Splunk %s" % session_key
          }

body =  urllib.urlencode(json.loads(props_param))

if ce_param == 'Create':
    connection.request("POST", "/servicesNS/nobody/search/configs/conf-props/" , body, headers)
elif ce_param == 'Modify':
    connection.request("POST", "/servicesNS/nobody/search/configs/conf-props/" + stanza_encoded, body, headers)
else:
    print("Please provide correct input")
    sys.exit(1)

response = connection.getresponse()
content = response.read()
connection.close()

print content

If you would like to create new props stanza, script will prompt for many parameters as below (Make sure to use double quotes while passing value in JSON format otherwise script will fail)

$ python test_props_sdk.py
Enter splunk server hostname/ip: SERVERNAME
Enter Splunk Admin Username: admin
Enter Splunk Admin Password:
Create or Modify props: Create
Props parameter in json format: {"name": "source::/log/mylog.log", "TRANSFORMS-null": "setnull"}

And if you would like to modify existing props stanza, script will prompt for many parameters as below (Make sure to use double quotes while passing value in JSON format otherwise script will fail)

$ python test_props_sdk.py
Enter splunk server hostname/ip: SERVERNAME
Enter Splunk Admin Username: admin
Enter Splunk Admin Password:
Create or Modify props: Modify
Enter props stanza name: source::/log/mylog.log
Props parameter in json format: {"TRANSFORMS-null": "setnull123"}

I hope this helps.

Thanks,
Harshil

jvardev
Path Finder

Thank you, very appreciated!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...