Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using field values in a bash script

xureal
New Member
‎01-31-2013 01:06 PM

Hello,

I'm trying to write a shell script in response to attempted ssh logins from multiple IP addresses. I have used rex to create a username field in my search since splunk couldn't grab the data itself, and was wondering if there is any way of passing the value of the field into my shell script.

My search:
eventtype=ssh-login-attempt | rex field=_raw "User '(?\w+)"

I'm looking to get the value of the username field into my shell script.

Tags (2)
0 Karma
Reply

dcparker
Path Finder
‎03-20-2013 07:00 AM

Did you get anywhere with this? I'm starting to explore the same thing. Thanks!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 02:59 PM

Depending on what you're trying to achieve, your script could call the query through a splunk API such as the REST one.

Alternatively, you could trigger your script from a splunk alert and then pick up the results.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 11:42 PM

When you're running the query as an alert already you should look into passing the results to a script called by an alert - http://docs.splunk.com/Documentation/Splunk/5.0.1/alert/ConfiguringScriptedAlerts

0 Karma
Reply

xureal
New Member
‎01-31-2013 03:10 PM

Thanks for the response. Just had a quick scroll through the REST API, not sure if that's what I'm looking for, however I will have a better read 'morrow when I wake up.

Just to clarify, the search will pick out users that try to ssh into the server from more than one ip address.

So for instance if the user 'andy' tries to ssh in from 192.168.0.2 and 192.168.1.5 the alert will fire off. What I'm trying to do is pass the value of the username, in this case 'andy', to the script, so that I could for example change the motd on the router to something like " Andy tried to login from 2 IPs "

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...