Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

creating splunk search in python script

thambisetty
SplunkTrust
SplunkTrust
‎11-27-2017 09:16 AM

Hi Splunk,

I am trying to create splunk search in my python script where the script is being used to create HPSM ticket.

I have created HPSM action and added to correlation search adaptive response action and this executes python script and I need to find event_id for orig_sid (sid from splunk statndard input) before creating ticket and need to add event_id in request to create HPSM ticket. using this I have created method in the same script to run search to get event id for the same sid. search is returning void. if I run method in different python script its working fine.

Here is my method which will create search in splunk(used both create and export)

def run_search(sid):
        logger.debug("Entered with sid '%s'",sid)
        #sid='scheduler_s785863SplunkEnterpriseSecuritySuite_RMD53eff93817270d051_at_1511794860_96'
        sid=sid
        #kwargs_export = {"earliest_time": "-24h","latest_time": "now","search_mode": "normal","output_mode":"json"}
        searchquery_export = "search `notable`| search orig_sid=" + sid + " | table event_id"
        logger.debug("Search Query '%s'",searchquery_export)
        service = client.connect(username="splunk", password="********")
        logger.debug("Service connect %s",service)
        #time.sleep(60)
        #exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export)
        job = service.jobs.create(searchquery_export,{"exec_mode": "blocking"})
        logger.debug("Inner job SID '%s'", job)
        result_stream = job.results()
        reader = results.ResultsReader(result_stream)
        for item in reader:
                logger.debug("Inner job Results '%s'", item)
        #query_results = exportsearch_results.read()
        #logger.debug("Notable Result '%s'", query_results )
        #return query_results
If I use static sid , its working .

Please help me out.
Thanks in advance.

————————————
If this helps, give a like below.
0 Karma
Reply

hardikJsheth
Motivator
‎11-27-2017 10:43 PM

Try surrounding sid with quotes
i.e

searchquery_export = "search `notable`| search orig_sid=\"" + sid + "\" | table event_id"

I use searchAll/searchOne method of Splunk for executing search from python script which is easier compare to creating job. Sharing it for your reference. 

import splunk.search as splunkSearch

labels = splunkSearch.searchAll('| inputlookup abc_workload_mapping_lookup | search workload_d="%s" hostname = "*" | dedup type | table href type' % workload_uuid, sessionKey=session_key, namespace=app_name, owner='nobody')
    labelsList = []
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-27-2017 11:03 PM

Thanks for your answer.

How did you get the session key?

————————————
If this helps, give a like below.
0 Karma
Reply

hardikJsheth
Motivator
‎11-28-2017 12:51 AM

If it's python script, you need to set "passAuth" varriable in inputs.conf.

passAuth = splunk-system-user

Splunk will pass session key as argument to your python script which can be accessed with following line.

sessionKey = sys.stdin.readline().strip()

In case it's AR action, you can access it from modaction.session_key.

0 Karma
Reply

hardikJsheth
Motivator
‎12-01-2017 02:03 AM

@thambisetty did you resolve your problem? It will be helpful for all if you can provide your solution here .

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎12-01-2017 02:22 AM

script is working. when I run it separately, but when i include this in the script its not working.

what i have observed so far:
I have created two python files 1. adaptive response which will take the payload from notable event and create ticket in HPSM. 2. while updating the ticket the ticket I need to get event_id by running search against notable with filter orig_sid.
I am calling 2nd script from first script main function. and the second script is being called with the orig_id parameter and giving job_id in logging but not giving results. this is where I got stuck up.

if I run second script alone by passing static values its working fine.

please let me know your experiences if you guys have already seen this before.

————————————
If this helps, give a like below.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...