Getting Data In

script alert filetype question

Path Finder

Hi all,

I have a question about script alert. Now the script alert will transform the result to gzip filetype. Is there any way to change the filetype to txt or csv filetype? As I know, splunk 3.x will transform the result to non-gz filetype. But on splunk 4.x, default is .gz filetype.

tks for any solutions.

Tags (2)
1 Solution

Super Champion

I'm not sure you can control if splunk will be handing you a compressed (.gz) or un-compressed file. I'm guessing that you can't. Either way the content of the results file is a simple CSV format.

If you are using a python script as your scripted action, then you can handle either situation quite easily. Here is a very simple example that uses an openany() function to handle both compressed and uncompressed files.

#!/opt/splunk/bin/python
import sys, csv

def openany(p):
    if p.endswith(".gz"):
        import gzip
        return gzip.open(p)
    else:
        return open(p)

results_file = sys.argv[8]
for result in csv.DictReader(openany(results_file)):
    # Do whatever action with your results ...
    print results["_raw"]

You can probably get away with simply copying the openany() function to you script. (You should be able to easily adapt this to a non-python environment too since handing gzip files and csv content is pretty universal.)

Another option would be to use a small python wrapper script that isolates these differences from your script/executable. You could even make such a wrapper script write out just the raw events if your script only wants to see the event text rather than CSV format. (I could provide an example if you think that would be a good option.)

View solution in original post

0 Karma

Super Champion

I'm not sure you can control if splunk will be handing you a compressed (.gz) or un-compressed file. I'm guessing that you can't. Either way the content of the results file is a simple CSV format.

If you are using a python script as your scripted action, then you can handle either situation quite easily. Here is a very simple example that uses an openany() function to handle both compressed and uncompressed files.

#!/opt/splunk/bin/python
import sys, csv

def openany(p):
    if p.endswith(".gz"):
        import gzip
        return gzip.open(p)
    else:
        return open(p)

results_file = sys.argv[8]
for result in csv.DictReader(openany(results_file)):
    # Do whatever action with your results ...
    print results["_raw"]

You can probably get away with simply copying the openany() function to you script. (You should be able to easily adapt this to a non-python environment too since handing gzip files and csv content is pretty universal.)

Another option would be to use a small python wrapper script that isolates these differences from your script/executable. You could even make such a wrapper script write out just the raw events if your script only wants to see the event text rather than CSV format. (I could provide an example if you think that would be a good option.)

View solution in original post

0 Karma

Explorer

Hi Lowell,
I have the same problem as Anthony Hou. My result of alert is fortmat zip. I want change from zip to CSV. Could you please guide me? Thanks a lot.

0 Karma