Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk SDK for Python: Why am I unable to access the top-level keys from outside of the orig_raw field within my adaptive response action?

zestep
New Member
‎02-20-2018 07:24 AM

I'm using the splunk SDK for python to create an adaptive response action!

My events are well-structured JSON objects - but from within my adaptive response ation I am not able to access the top-level keys from outside of the orig_raw field. Is this normal? How can I control this?

---code---

def do_genericevent(result):
        field = result.get(field_name)

--code--
I have some incoming JSON events like { "key" : "value" } but in the 'result' dictionary within my adaptive response action these are all shelved under "orig_raw". Is this normal?

0 Karma
Reply

starcher
Influencer
‎02-20-2018 08:51 AM

You can save yourself a lot of pain if you use Splunk Add-on Builder from splunkbase to make custom alert actions/adaptive responses.

0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎02-20-2018 08:38 AM

Whats the rest of your code look like? Im interested in how you're instantiating your adaptive response class, as well as how you're creating the "result" object, as that should be generated from an unzip of the results file (per the example here: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBH)

with gzip.open(modaction.results_file, 'rb') as fh:
                for num, result in enumerate(csv.DictReader(fh)):
Reply

zestep
New Member
‎02-20-2018 10:05 AM

The code works great. The result dictionary looks like { .... "orig_raw" : {my original json} } when I would prefer the original json to appear at the top level in the result-set. I think it's just a matter of configuring things correctly? What controls this?

0 Karma
Reply

zestep
New Member
‎02-20-2018 10:04 AM

session_key = modaction.session_key

    modaction.addinfo()
    ## process results
    if not os.path.exists(modaction.results_file):
        logger.info("No results available to process: %s does not exist, exiting." % modaction.results_file)
        sys.exit(0)
    with gzip.open(modaction.results_file, 'rb') as fh:
        for num, result in enumerate(csv.DictReader(fh)):
            ## set rid to row # (0->n) if unset
            result.setdefault('rid', str(num))

            modaction.update(result)
            modaction.invoke()

            act_result = modaction.dowork(result)

            if act_result:
                modaction.message('Successfully Changed Policy', status='success')
            else:
                modaction.message('Failed to change Policy', status='failure', level=logging.ERROR)

            modaction.writeevents(source='carbonblackdefenseapi')
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...