Solved: script alert filetype question

Anthony_Hou · ‎06-14-2010

Hi all,

I have a question about script alert. Now the script alert will transform the result to gzip filetype. Is there any way to change the filetype to txt or csv filetype? As I know, splunk 3.x will transform the result to non-gz filetype. But on splunk 4.x, default is .gz filetype.

tks for any solutions.

Lowell · ‎06-14-2010

I'm not sure you can control if splunk will be handing you a compressed (.gz) or un-compressed file. I'm guessing that you can't. Either way the content of the results file is a simple CSV format.

If you are using a python script as your scripted action, then you can handle either situation quite easily. Here is a very simple example that uses an openany() function to handle both compressed and uncompressed files.

#!/opt/splunk/bin/python
import sys, csv

def openany(p):
    if p.endswith(".gz"):
        import gzip
        return gzip.open(p)
    else:
        return open(p)

results_file = sys.argv[8]
for result in csv.DictReader(openany(results_file)):
    # Do whatever action with your results ...
    print results["_raw"]

You can probably get away with simply copying the openany() function to you script. (You should be able to easily adapt this to a non-python environment too since handing gzip files and csv content is pretty universal.)

Another option would be to use a small python wrapper script that isolates these differences from your script/executable. You could even make such a wrapper script write out just the raw events if your script only wants to see the event text rather than CSV format. (I could provide an example if you think that would be a good option.)

View solution in original post

Lowell · ‎06-14-2010

I'm not sure you can control if splunk will be handing you a compressed (.gz) or un-compressed file. I'm guessing that you can't. Either way the content of the results file is a simple CSV format.

If you are using a python script as your scripted action, then you can handle either situation quite easily. Here is a very simple example that uses an openany() function to handle both compressed and uncompressed files.

#!/opt/splunk/bin/python
import sys, csv

def openany(p):
    if p.endswith(".gz"):
        import gzip
        return gzip.open(p)
    else:
        return open(p)

results_file = sys.argv[8]
for result in csv.DictReader(openany(results_file)):
    # Do whatever action with your results ...
    print results["_raw"]

You can probably get away with simply copying the openany() function to you script. (You should be able to easily adapt this to a non-python environment too since handing gzip files and csv content is pretty universal.)

Another option would be to use a small python wrapper script that isolates these differences from your script/executable. You could even make such a wrapper script write out just the raw events if your script only wants to see the event text rather than CSV format. (I could provide an example if you think that would be a good option.)

dungpv · ‎07-05-2012

Hi Lowell,
I have the same problem as Anthony Hou. My result of alert is fortmat zip. I want change from zip to CSV. Could you please guide me? Thanks a lot.

script alert filetype question

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation