- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- script alert filetype question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I have a question about script alert. Now the script alert will transform the result to gzip filetype. Is there any way to change the filetype to txt or csv filetype? As I know, splunk 3.x will transform the result to non-gz filetype. But on splunk 4.x, default is .gz filetype.
tks for any solutions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure you can control if splunk will be handing you a compressed (.gz) or un-compressed file. I'm guessing that you can't. Either way the content of the results file is a simple CSV format.
If you are using a python script as your scripted action, then you can handle either situation quite easily. Here is a very simple example that uses an openany() function to handle both compressed and uncompressed files.
#!/opt/splunk/bin/python
import sys, csv
def openany(p):
if p.endswith(".gz"):
import gzip
return gzip.open(p)
else:
return open(p)
results_file = sys.argv[8]
for result in csv.DictReader(openany(results_file)):
# Do whatever action with your results ...
print results["_raw"]
You can probably get away with simply copying the openany() function to you script. (You should be able to easily adapt this to a non-python environment too since handing gzip files and csv content is pretty universal.)
Another option would be to use a small python wrapper script that isolates these differences from your script/executable. You could even make such a wrapper script write out just the raw events if your script only wants to see the event text rather than CSV format. (I could provide an example if you think that would be a good option.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure you can control if splunk will be handing you a compressed (.gz) or un-compressed file. I'm guessing that you can't. Either way the content of the results file is a simple CSV format.
If you are using a python script as your scripted action, then you can handle either situation quite easily. Here is a very simple example that uses an openany() function to handle both compressed and uncompressed files.
#!/opt/splunk/bin/python
import sys, csv
def openany(p):
if p.endswith(".gz"):
import gzip
return gzip.open(p)
else:
return open(p)
results_file = sys.argv[8]
for result in csv.DictReader(openany(results_file)):
# Do whatever action with your results ...
print results["_raw"]
You can probably get away with simply copying the openany() function to you script. (You should be able to easily adapt this to a non-python environment too since handing gzip files and csv content is pretty universal.)
Another option would be to use a small python wrapper script that isolates these differences from your script/executable. You could even make such a wrapper script write out just the raw events if your script only wants to see the event text rather than CSV format. (I could provide an example if you think that would be a good option.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lowell,
I have the same problem as Anthony Hou. My result of alert is fortmat zip. I want change from zip to CSV. Could you please guide me? Thanks a lot.
Take the 2021 Splunk Career Survey for $50 in Amazon Cash
Using Machine Learning for Hunting Security Threats
Observability Newsletter Highlights | March 2023
