Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using a Python script to call an API

bazcurtis178
Explorer
‎10-28-2017 04:05 AM

Hi,

I am trying to use the Sophos Central API. It uses a Python script to download the data into a file. I have successfully run this on my Mac, but I am not sure where to start in Splunk. I thought I would drop the script in $SPLUNK_HOME/bin/scripts, but the script is not seen.

I assume Splunk will then look at the downloaded file and index it?

Any help would be much appreciated.

0 Karma
Reply

bazcurtis178
Explorer
‎11-07-2017 12:38 PM

Thanks Damien. I will take a look at this on Friday.

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎11-06-2017 03:58 PM

I have underlined where you enter 1) URL 2) HTTP Header propertys 3) URL parameters

alt text

Preview file
1 KB
0 Karma
Reply

bazcurtis178
Explorer
‎11-06-2017 09:56 AM

I have finally got back to this. Sorry for all the questions, but I appreciate the help.

I assumed that I would paste in the Header API key or API Access URL + Headers into the setup page, but I am not seeing a place for that. The URL is obvious, but where do the API tokens go? With only two to choose from I thought it would be simple?

Any other pointers would be most welcome.

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎10-28-2017 11:51 AM

Having a quick look at the docs , https://community.sophos.com/kb/en-us/125169/ and the example script , https://github.com/sophos/Sophos-Central-SIEM-Integration

It would be very easy to use the REST API Modular Input and setup an input with Sophos URL , Auth headers, Checkpointing etc.. as detailed in the docs and skip the need to save a downloaded file to disk and rather just stream this data directly in to Splunk.

0 Karma
Reply

bazcurtis178
Explorer
‎10-30-2017 10:33 AM

Thanks for the replies. I will take a look at that and confirm the answer once tested. I like the look of the Rest API. I was hoping to get the data straight in to Splunk rather than download the file and get the data from there.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎10-30-2017 11:42 AM

That’s exactly what the rest api modular input would do. Same for a scripted input writing to stdout.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎10-28-2017 05:11 AM

Check out inputs.conf section regarding scripted inputs.

The scripted input indexes whatever is coming to stdout.

If your script downloads data to a file, perhaps a slight modification would make it print the data to stdout.

Another option is making the script run as a cron job and then using splunk inputs.conf monitor stanza to monitor the location that the script is putting data files into.

0 Karma
Reply

bazcurtis178
Explorer
‎10-28-2017 07:43 AM

Thanks for the reply. My first issue is getting the script to run. How do I get the script add to at least run once?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎10-28-2017 01:01 PM

This link does a pretty good job of explaining it:

https://sublimerobots.com/2017/01/simple-splunk-scripted-input-example/

The inputs.conf tells splunk to execute the script based on whatever interval you provide.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...