Getting Data In

script alert filetype question

Anthony_Hou
Path Finder

Hi all,

I have a question about script alert. Now the script alert will transform the result to gzip filetype. Is there any way to change the filetype to txt or csv filetype? As I know, splunk 3.x will transform the result to non-gz filetype. But on splunk 4.x, default is .gz filetype.

tks for any solutions.

Tags (2)
1 Solution

Lowell
Super Champion

I'm not sure you can control if splunk will be handing you a compressed (.gz) or un-compressed file. I'm guessing that you can't. Either way the content of the results file is a simple CSV format.

If you are using a python script as your scripted action, then you can handle either situation quite easily. Here is a very simple example that uses an openany() function to handle both compressed and uncompressed files.

#!/opt/splunk/bin/python
import sys, csv

def openany(p):
    if p.endswith(".gz"):
        import gzip
        return gzip.open(p)
    else:
        return open(p)

results_file = sys.argv[8]
for result in csv.DictReader(openany(results_file)):
    # Do whatever action with your results ...
    print results["_raw"]

You can probably get away with simply copying the openany() function to you script. (You should be able to easily adapt this to a non-python environment too since handing gzip files and csv content is pretty universal.)

Another option would be to use a small python wrapper script that isolates these differences from your script/executable. You could even make such a wrapper script write out just the raw events if your script only wants to see the event text rather than CSV format. (I could provide an example if you think that would be a good option.)

View solution in original post

0 Karma

Lowell
Super Champion

I'm not sure you can control if splunk will be handing you a compressed (.gz) or un-compressed file. I'm guessing that you can't. Either way the content of the results file is a simple CSV format.

If you are using a python script as your scripted action, then you can handle either situation quite easily. Here is a very simple example that uses an openany() function to handle both compressed and uncompressed files.

#!/opt/splunk/bin/python
import sys, csv

def openany(p):
    if p.endswith(".gz"):
        import gzip
        return gzip.open(p)
    else:
        return open(p)

results_file = sys.argv[8]
for result in csv.DictReader(openany(results_file)):
    # Do whatever action with your results ...
    print results["_raw"]

You can probably get away with simply copying the openany() function to you script. (You should be able to easily adapt this to a non-python environment too since handing gzip files and csv content is pretty universal.)

Another option would be to use a small python wrapper script that isolates these differences from your script/executable. You could even make such a wrapper script write out just the raw events if your script only wants to see the event text rather than CSV format. (I could provide an example if you think that would be a good option.)

0 Karma

dungpv
Explorer

Hi Lowell,
I have the same problem as Anthony Hou. My result of alert is fortmat zip. I want change from zip to CSV. Could you please guide me? Thanks a lot.

0 Karma
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...