Splunk Cloud Platform

python code not working after declaring python3

DataOrg
Builder

external script was working in python2x version but after forcing to use pythion3, its return with error code 1. python script.

 

import sys,splunk.Intersplunk
import xml.sax
import xml.sax.saxutils as saxutils
from xml.sax.handler import ContentHandler
from xml.sax.handler import EntityResolver
from xml.sax.xmlreader import InputSource
import StringIO

class NullInputSource(InputSource):
    def getByteStream(self):
        return StringIO.StringIO("entity files not supported.")

class NullEntityResolver(EntityResolver):
    def resolveEntity(self,publicId,systemId):
        return NullInputSource()

class XmlHandler(ContentHandler):
    def __init__(self):
        self.indent = 0

    def reset(self , r):
        self.current_output = ''
        self.indent = 0
        self.open_tag = ''

    def getOutput(self):
        return self.current_output

    def startElement(self, name, attrs):
        self.open_tag = name
        self.current_output += '\n' + '  ' * self.indent
        self.indent += 1
        self.current_output += '<' + name

        if attrs.getLength() > 0:
            for k in attrs.getNames():
                self.current_output += ' ' + k + '=' + saxutils.quoteattr(attrs.getValue(k))
        self.current_output += '>'

    def characters(self, content):
        if len(content.strip()) > 0:
#            self.current_output += '  ' * self.indent
            self.current_output += saxutils.escape( content ) #+ '\n'

    def endElement(self, name):
        self.indent -= 1
        if self.open_tag != name:
            self.current_output += '\n' + '  ' * self.indent
        self.current_output += '</' + name + '>'

try:
    results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

    handler = XmlHandler()

    for r in results:
        try:
            if 'xml' in r:
                xml_text = r['xml']
                dest_field = 'xml'
            else:
                raw = r["_raw"]
                dest_field = '_raw'

                xml_text = raw[ raw.index( '<' ) : raw.rindex( '>' )+1 ]

            handler.reset(xml_text)
            parser = xml.sax.make_parser()
            parser.setContentHandler(handler)
            parser.setEntityResolver(NullEntityResolver())
            parser.parse(StringIO.StringIO(xml_text))

            r[dest_field] = handler.getOutput()

            if 'xml' in r:
                xml_text = r['xml']
            else:
                raw = r["_raw"]

        except:
            import traceback
            stack =  traceback.format_exc()
            r['_raw'] = "Failed to parse: " + str(stack) + "\n" + r['_raw']

except:
    import traceback
    stack =  traceback.format_exc()
    results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

 

@kamlesh_vaghela

 

[xmlformat]
filename = xmlformat.py
retainsevents = true
overrides_timeorder = false
run_in_preview = false
streaming = true
python.version = python3

 

 

Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@DataOrg 

Your provided script is not compatible with python3. You can validate by executing below command. It will execute script and gives you appropriate error. 

/opt/splunk/bin/splunk cmd python3 /opt/splunk/etc/apps/MyApp/bin/myscript.py

 

I did the same for you. Can you please try below script?

 

import sys,splunk.Intersplunk
import xml.sax
import xml.sax.saxutils as saxutils
from xml.sax.handler import ContentHandler
from xml.sax.handler import EntityResolver
from xml.sax.xmlreader import InputSource
try:
    from StringIO import StringIO ## for Python 2
except ImportError:
    from io import StringIO ## for Python 3

class NullInputSource(InputSource):
    def getByteStream(self):
        return StringIO("entity files not supported.")

class NullEntityResolver(EntityResolver):
    def resolveEntity(self,publicId,systemId):
        return NullInputSource()

class XmlHandler(ContentHandler):
    def __init__(self):
        self.indent = 0

    def reset(self , r):
        self.current_output = ''
        self.indent = 0
        self.open_tag = ''

    def getOutput(self):
        return self.current_output

    def startElement(self, name, attrs):
        self.open_tag = name
        self.current_output += '\n' + '  ' * self.indent
        self.indent += 1
        self.current_output += '<' + name

        if attrs.getLength() > 0:
            for k in attrs.getNames():
                self.current_output += ' ' + k + '=' + saxutils.quoteattr(attrs.getValue(k))
        self.current_output += '>'

    def characters(self, content):
        if len(content.strip()) > 0:
#            self.current_output += '  ' * self.indent
            self.current_output += saxutils.escape( content ) #+ '\n'

    def endElement(self, name):
        self.indent -= 1
        if self.open_tag != name:
            self.current_output += '\n' + '  ' * self.indent
        self.current_output += '</' + name + '>'

try:
    results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

    handler = XmlHandler()

    for r in results:
        try:
            if 'xml' in r:
                xml_text = r['xml']
                dest_field = 'xml'
            else:
                raw = r["_raw"]
                dest_field = '_raw'

                xml_text = raw[ raw.index( '<' ) : raw.rindex( '>' )+1 ]

            handler.reset(xml_text)
            parser = xml.sax.make_parser()
            parser.setContentHandler(handler)
            parser.setEntityResolver(NullEntityResolver())
            parser.parse(StringIO(xml_text))

            r[dest_field] = handler.getOutput()

            if 'xml' in r:
                xml_text = r['xml']
            else:
                raw = r["_raw"]

        except:
            import traceback
            stack =  traceback.format_exc()
            r['_raw'] = "Failed to parse: " + str(stack) + "\n" + r['_raw']

except:
    import traceback
    stack =  traceback.format_exc()
    results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

 

Happy Splunking

KV

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@DataOrg 

Your provided script is not compatible with python3. You can validate by executing below command. It will execute script and gives you appropriate error. 

/opt/splunk/bin/splunk cmd python3 /opt/splunk/etc/apps/MyApp/bin/myscript.py

 

I did the same for you. Can you please try below script?

 

import sys,splunk.Intersplunk
import xml.sax
import xml.sax.saxutils as saxutils
from xml.sax.handler import ContentHandler
from xml.sax.handler import EntityResolver
from xml.sax.xmlreader import InputSource
try:
    from StringIO import StringIO ## for Python 2
except ImportError:
    from io import StringIO ## for Python 3

class NullInputSource(InputSource):
    def getByteStream(self):
        return StringIO("entity files not supported.")

class NullEntityResolver(EntityResolver):
    def resolveEntity(self,publicId,systemId):
        return NullInputSource()

class XmlHandler(ContentHandler):
    def __init__(self):
        self.indent = 0

    def reset(self , r):
        self.current_output = ''
        self.indent = 0
        self.open_tag = ''

    def getOutput(self):
        return self.current_output

    def startElement(self, name, attrs):
        self.open_tag = name
        self.current_output += '\n' + '  ' * self.indent
        self.indent += 1
        self.current_output += '<' + name

        if attrs.getLength() > 0:
            for k in attrs.getNames():
                self.current_output += ' ' + k + '=' + saxutils.quoteattr(attrs.getValue(k))
        self.current_output += '>'

    def characters(self, content):
        if len(content.strip()) > 0:
#            self.current_output += '  ' * self.indent
            self.current_output += saxutils.escape( content ) #+ '\n'

    def endElement(self, name):
        self.indent -= 1
        if self.open_tag != name:
            self.current_output += '\n' + '  ' * self.indent
        self.current_output += '</' + name + '>'

try:
    results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

    handler = XmlHandler()

    for r in results:
        try:
            if 'xml' in r:
                xml_text = r['xml']
                dest_field = 'xml'
            else:
                raw = r["_raw"]
                dest_field = '_raw'

                xml_text = raw[ raw.index( '<' ) : raw.rindex( '>' )+1 ]

            handler.reset(xml_text)
            parser = xml.sax.make_parser()
            parser.setContentHandler(handler)
            parser.setEntityResolver(NullEntityResolver())
            parser.parse(StringIO(xml_text))

            r[dest_field] = handler.getOutput()

            if 'xml' in r:
                xml_text = r['xml']
            else:
                raw = r["_raw"]

        except:
            import traceback
            stack =  traceback.format_exc()
            r['_raw'] = "Failed to parse: " + str(stack) + "\n" + r['_raw']

except:
    import traceback
    stack =  traceback.format_exc()
    results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

 

Happy Splunking

KV

DataOrg
Builder

@kamlesh_vaghela thanks for the help and teaching for debugging the code . awesome

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@DataOrg  let me check it. BTW Which Splunk version you are using? Splunk 8.0.5 or higher?

0 Karma

DataOrg
Builder

@kamlesh_vaghela  splunk cloud version is 

Version:8.0.2007.1

Tags (1)
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...