Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How does one create inline Python scripts for use in Splunk searches?

dc5553
Explorer
‎08-24-2015 06:27 AM

I am creating a simple script to take a hex(base 16) encoded field and convert it to readable text. For this endeavor, I have decided to use the built-in Python function for strings "<string>.decode("hex")." I would like to use this script in a search "pipeline" running a field called packet through the statement and creating a new field of decoded text in the process.

I have read the documentation for the API splunk.Intersplunk, however, I am not 100% understanding what exactly that I need to use to complete my script. Specifically, from the examples I have seen, I do not understand what the following lines do for me?

(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)

Additionally in the case of collecting results and creating the new field, is the following line needed?

results = splunk.Intersplunk.readResults(None, None, False)

So you are tracking this is what I have thus far and I believe I am close.

import sys
import splunk.Intersplunk
import string


#Program takes hex encoded string from a field and outputs value in search results at the gui
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv) #debug to see arguments I think Does it print these out?
results = splunk.Intersplunk.readResults(None, None, False) 

str=""

if len(sys.argv) < 2: # make sure there is an argument passed if not return error
    splunk.Intersplunk.parseError("[!] No arguments provided, please provide one argument.")
    sys.exit(1)

else: #grab the string from sys.argv and make it uppercase because I like uppercase hex strings :)
    str=sys.argv[1]
    str=str.upper()


if all(char in string.hexdigits for char in str): # make sure all characters are hex    
    decoded_string = str.decode("hex")
    splunk.Intersplunk.outputResults(decoded_string)


else: # return an error if its not a hex string
    splunk.Intersplunk.parseError("[!] String provided is not [A-F 0-9], please validate your inputs")
    sys.exit(1)

Also I am aware of the need for the STANZA setting below.

[decode_hex]
TYPE = python
FILENAME = decode_hex.py
0 Karma
Reply

jensonthottian
Contributor
‎08-24-2015 08:49 AM

After creating the python script, copy the script to $SPLUNK_HOME/etc/system/local directory.
reate or edit existing authorize.conf
and commands.conf.

In commands.conf add:

[youcommandname]
FILENAME = yourscript.py

In authorize.conf add:

[capability::run_script_yourcustomcommand]

[role_admin]
run_script_yourcustomcommand = enabled

Restart Splunk to test the command.

0 Karma
Reply

dc5553
Explorer
‎08-24-2015 12:21 PM

This does not answer my question. Please read the full text of what i wrote. Explain how i pass values not stanza or administrative settings please

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...