I am trying to write a custom search module in python that will check the host field of event data in a comprehensive search and trigger a command line call to a remote server to block any ip in the search that matches a blacklist. I am thinking the data that I am looking for is somewhere in the 'results' returned from splunk.Intersplunk.getOrganizedResults() but I cannot figure out how to access it, specifically just the host field.
Agreed. run the search for the list of hosts, and then in the script operate on all of them at once.
Thanks for the advice, I looked into alerts, and I'm not sure that the alert solution is correct for my particular application. This is because the criteria for triggering the block are diverse and inconsistent. The same set of conditions that in one instance would require a block, in a another would not. Really just looking for a new argument to supply to a specific search i.e. "search | uniq | block" that would trigger the block. I have found that it is easy enough to trigger the action, I have having problems accessing the data, also debugging python is a huge pain inside of splunk.