- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How does one create inline Python scripts for use ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How does one create inline Python scripts for use in Splunk searches?
I am creating a simple script to take a hex(base 16) encoded field and convert it to readable text. For this endeavor, I have decided to use the built-in Python function for strings "<string>.decode("hex")." I would like to use this script in a search "pipeline" running a field called packet through the statement and creating a new field of decoded text in the process.
I have read the documentation for the API splunk.Intersplunk, however, I am not 100% understanding what exactly that I need to use to complete my script. Specifically, from the examples I have seen, I do not understand what the following lines do for me?
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)
Additionally in the case of collecting results and creating the new field, is the following line needed?
results = splunk.Intersplunk.readResults(None, None, False)
So you are tracking this is what I have thus far and I believe I am close.
import sys
import splunk.Intersplunk
import string
#Program takes hex encoded string from a field and outputs value in search results at the gui
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv) #debug to see arguments I think Does it print these out?
results = splunk.Intersplunk.readResults(None, None, False)
str=""
if len(sys.argv) < 2: # make sure there is an argument passed if not return error
splunk.Intersplunk.parseError("[!] No arguments provided, please provide one argument.")
sys.exit(1)
else: #grab the string from sys.argv and make it uppercase because I like uppercase hex strings :)
str=sys.argv[1]
str=str.upper()
if all(char in string.hexdigits for char in str): # make sure all characters are hex
decoded_string = str.decode("hex")
splunk.Intersplunk.outputResults(decoded_string)
else: # return an error if its not a hex string
splunk.Intersplunk.parseError("[!] String provided is not [A-F 0-9], please validate your inputs")
sys.exit(1)
Also I am aware of the need for the STANZA setting below.
[decode_hex]
TYPE = python
FILENAME = decode_hex.py
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After creating the python script, copy the script to $SPLUNK_HOME/etc/system/local directory.
reate or edit existing authorize.conf
and commands.conf.
In commands.conf add:
[youcommandname]
FILENAME = yourscript.py
In authorize.conf add:
[capability::run_script_yourcustomcommand]
[role_admin]
run_script_yourcustomcommand = enabled
Restart Splunk to test the command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This does not answer my question. Please read the full text of what i wrote. Explain how i pass values not stanza or administrative settings please
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
