Re: External lookup Python Script: How to send a c...

prabhan · ‎04-25-2020

Hi Splunkers,

My external lookup working just fine and the results are proper.

As mentioned in the below screenshot my_test_lookup.py is available in my /etc/apps/[my_app]/bin/my_test_lookup.py.

I don't have any issue with the external lookup with python script.

Is there any way to send a custom message from python script to splunk GUI whenever the search event matches the custom limit number(1000).

This limit is not from the splunk configs. this limit has been provided in my external lookup python script.

r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()

event_count = 0
search_limit = 1000
for result in r:
    if result[group_field]:
        result[field1] = "test1"
        result[field2] = "testfiedl2"
        w.writerow(result)
        event_count += 1
        if event_count == search_limit:
            reach_limit_msg = "Reached Limit %d" % event_count
            send_message(reach_limit_msg)
            print("Reached Limit %d" % event_count)
            logger.warning("Reached Limit %d" % event_count)
            sys.exit(0)

It may be a kind of popup saying your search limit 1000 exceeded or something like below mentioned screenshot.

FYI: I have already tried bulletin message by referencing this url . It worked like charm, but it sends a bulletin message to all the users who logged in, but i would like to send a message to only the person who fired the SPL query.

Please help, Thanks in advance _/_.

jkat54 · ‎04-26-2020

If you switch to a newer version of the search commands it seems pretty easy. See the "doc" sections of the commands here:

https://github.com/splunk/splunk-sdk-python/tree/master/examples/searchcommands_app/package/bin/

prabhan · ‎04-26-2020

@jkat54 Thank you so much for your response, much appreciated!

I'm using Splunk 7+, Can you please bit elaborate how can i make use of the search commands doc.

If possible any examples please!

jkat54 · ‎04-26-2020

Did you look at the link I provided? There were plenty of examples.

prabhan · ‎04-26-2020

@jkat54 Yes, I have checked that. So as per my understanding we can create a custom search command for my use case. but i already started working with the External Lookup. Now there is no option to change it from external lookup to custom search command.

jkat54 · ‎04-26-2020

Oh right I missed that. The SPL command might be easier but if you want to try the scripted lookup you should check out intersplunk.

https://python.hotexamples.com/examples/splunk/Intersplunk/-/python-intersplunk-class-examples.html

prabhan · ‎04-27-2020

@jkat54 Scripted lookup not rely on intersplunk,
Here is my findings- Python search commands rely on Intersplunk.py to grab events from the search pipeline and pass the modified events back. The arguments passed to your script
in sys.argv are the same arguments you use when searching with the command.

So we need to identify some other way to display a custom message to the Splunk SH.

I just wanted to print the error in the Splunk search head. whenever it cross the limit.

As per my research its not possible i guess. please let me know if you have any other idea?? pls..

jkat54 · ‎04-27-2020

I mean it couldn't hurt to try...

except Exception, e:
    import traceback

    stack = traceback.format_exc()
    splunk.Intersplunk.generateErrorResults(str(e))

External lookup Python Script: How to send a custom error message to Splunk SH UI

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life