how do I pull just the host field out of a search ...

msantoro1 · ‎07-13-2011

I am trying to write a custom search module in python that will check the host field of event data in a comprehensive search and trigger a command line call to a remote server to block any ip in the search that matches a blacklist. I am thinking the data that I am looking for is somewhere in the 'results' returned from splunk.Intersplunk.getOrganizedResults() but I cannot figure out how to access it, specifically just the host field.

dwaddle · ‎07-13-2011

This might be more easily done as a script fired as part of an alert action. http://www.splunk.com/base/Documentation/4.2.2/User/SchedulingSavedSearches#Run_a_script

msantoro1 · ‎07-14-2011

also I still need to be able to pull out the host data even if it is an alert.

msantoro1 · ‎07-14-2011

Thanks for the advice, I looked into alerts, and I'm not sure that the alert solution is correct for my particular application. This is because the criteria for triggering the block are diverse and inconsistent. The same set of conditions that in one instance would require a block, in a another would not. Really just looking for a new argument to supply to a specific search i.e. "search | uniq | block" that would trigger the block. I have found that it is easy enough to trigger the action, I have having problems accessing the data, also debugging python is a huge pain inside of splunk.

sideview · ‎07-13-2011

Agreed. run the search for the list of hosts, and then in the script operate on all of them at once.

how do I pull just the host field out of a search to use as input for a custom search module

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...