Splunk Search

How does one create inline Python scripts for use in Splunk searches?


I am creating a simple script to take a hex(base 16) encoded field and convert it to readable text. For this endeavor, I have decided to use the built-in Python function for strings "<string>.decode("hex")." I would like to use this script in a search "pipeline" running a field called packet through the statement and creating a new field of decoded text in the process.

I have read the documentation for the API splunk.Intersplunk, however, I am not 100% understanding what exactly that I need to use to complete my script. Specifically, from the examples I have seen, I do not understand what the following lines do for me?

(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv) 

Additionally in the case of collecting results and creating the new field, is the following line needed?

results = splunk.Intersplunk.readResults(None, None, False)

So you are tracking this is what I have thus far and I believe I am close.

import sys
import splunk.Intersplunk
import string

#Program takes hex encoded string from a field and outputs value in search results at the gui
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv) #debug to see arguments I think Does it print these out?
results = splunk.Intersplunk.readResults(None, None, False) 


if len(sys.argv) < 2: # make sure there is an argument passed if not return error
    splunk.Intersplunk.parseError("[!] No arguments provided, please provide one argument.")

else: #grab the string from sys.argv and make it uppercase because I like uppercase hex strings :)

if all(char in string.hexdigits for char in str): # make sure all characters are hex    
    decoded_string = str.decode("hex")

else: # return an error if its not a hex string
    splunk.Intersplunk.parseError("[!] String provided is not [A-F 0-9], please validate your inputs")

Also I am aware of the need for the STANZA setting below.

TYPE = python
FILENAME = decode_hex.py
0 Karma


After creating the python script, copy the script to $SPLUNK_HOME/etc/system/local directory.
reate or edit existing authorize.conf
and commands.conf.

In commands.conf add:

FILENAME = yourscript.py

In authorize.conf add:


script_yourcustomcommand = enabled

Restart Splunk to test the command.

0 Karma


This does not answer my question. Please read the full text of what i wrote. Explain how i pass values not stanza or administrative settings please

0 Karma