I am creating a simple script to take a hex(base 16) encoded field and convert it to readable text. For this endeavor, I have decided to use the built-in Python function for strings "<string>.decode("hex")." I would like to use this script in a search "pipeline" running a field called packet through the statement and creating a new field of decoded text in the process.
I have read the documentation for the API splunk.Intersplunk, however, I am not 100% understanding what exactly that I need to use to complete my script. Specifically, from the examples I have seen, I do not understand what the following lines do for me?
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)
Additionally in the case of collecting results and creating the new field, is the following line needed?
results = splunk.Intersplunk.readResults(None, None, False)
So you are tracking this is what I have thus far and I believe I am close.
import sys import splunk.Intersplunk import string #Program takes hex encoded string from a field and outputs value in search results at the gui (isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv) #debug to see arguments I think Does it print these out? results = splunk.Intersplunk.readResults(None, None, False) str="" if len(sys.argv) < 2: # make sure there is an argument passed if not return error splunk.Intersplunk.parseError("[!] No arguments provided, please provide one argument.") sys.exit(1) else: #grab the string from sys.argv and make it uppercase because I like uppercase hex strings :) str=sys.argv str=str.upper() if all(char in string.hexdigits for char in str): # make sure all characters are hex decoded_string = str.decode("hex") splunk.Intersplunk.outputResults(decoded_string) else: # return an error if its not a hex string splunk.Intersplunk.parseError("[!] String provided is not [A-F 0-9], please validate your inputs") sys.exit(1)
Also I am aware of the need for the STANZA setting below.
[decode_hex] TYPE = python FILENAME = decode_hex.py
After creating the python script, copy the script to $SPLUNK_HOME/etc/system/local directory.
reate or edit existing authorize.conf
In commands.conf add:
FILENAME = yourscript.py
In authorize.conf add:
runscript_yourcustomcommand = enabled
Restart Splunk to test the command.