- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Splunk SDK for Python: Why am I unable to access t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk SDK for Python: Why am I unable to access the top-level keys from outside of the orig_raw field within my adaptive response action?
I'm using the splunk SDK for python to create an adaptive response action!
My events are well-structured JSON objects - but from within my adaptive response ation I am not able to access the top-level keys from outside of the orig_raw field. Is this normal? How can I control this?
---code---
def do_genericevent(result):
field = result.get(field_name)
--code--
I have some incoming JSON events like { "key" : "value" } but in the 'result' dictionary within my adaptive response action these are all shelved under "orig_raw". Is this normal?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can save yourself a lot of pain if you use Splunk Add-on Builder from splunkbase to make custom alert actions/adaptive responses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whats the rest of your code look like? Im interested in how you're instantiating your adaptive response class, as well as how you're creating the "result" object, as that should be generated from an unzip of the results file (per the example here: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBH)
with gzip.open(modaction.results_file, 'rb') as fh:
for num, result in enumerate(csv.DictReader(fh)):
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The code works great. The result dictionary looks like { .... "orig_raw" : {my original json} } when I would prefer the original json to appear at the top level in the result-set. I think it's just a matter of configuring things correctly? What controls this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
session_key = modaction.session_key
modaction.addinfo()
## process results
if not os.path.exists(modaction.results_file):
logger.info("No results available to process: %s does not exist, exiting." % modaction.results_file)
sys.exit(0)
with gzip.open(modaction.results_file, 'rb') as fh:
for num, result in enumerate(csv.DictReader(fh)):
## set rid to row # (0->n) if unset
result.setdefault('rid', str(num))
modaction.update(result)
modaction.invoke()
act_result = modaction.dowork(result)
if act_result:
modaction.message('Successfully Changed Policy', status='success')
else:
modaction.message('Failed to change Policy', status='failure', level=logging.ERROR)
modaction.writeevents(source='carbonblackdefenseapi')
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
