Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a simple resource for how to code up extensions in Python that work with the stats() command?

rgoerwit
Engager
‎05-04-2018 07:51 AM

Is there a good, simple resource for how to code up extensions in Python that work with the stats() command?

Background:

I'd never thought of using Python with Splunk...until this last month, when literally thousands of IP addresses started trying to brute-force user passwords using my org's externally visible systems. Each address tries a few passwords for a few users, making it silly to block individual IP addresses. I could block networks, but that's overkill unless I can tune the netmasks.

Anyway, I wrote up a Python script to help me figure out a set of minimal networks/masks I can block - more than individual IP addresses but less than, say, mechanically blocking a bunch of fixed-width netblocks. The script runs at a command line and has proven useful.

But it occurs to me that I should be rewriting it to work with the Splunk stats command and output a list (like values()).

I have read over some documentation Splunk on how to do this - or tried. It's spread out and what I can find is, to me, inscrutable. I do some coding, but generally, it's in Perl, C#, C, etc. I'm probably just missing something. There is likely a good, simple resource out there and I've missed it.

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-04-2018 03:42 PM

I see two possible ways:

What would most likely be the "cleanest" way is creating a custom alert action. You could then schedule a search and have your custom alert action trigger, it being provided with the result of that search. I've not done this yet and please be aware that Splunk still runs Python 2 (sadly).
You could start on that here.

The quick and dirty approach would be run Splunk CLI and have it output the results in CSV style, then load that CSV into your python and there you go.
The CLI command could be like this:
splunk search "index=badguys yoursearchhere | stats count by something" -output csv -auth admin:changeme

Pick your poison. 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...