Splunk Search

How run python script as command?

power12
Communicator

Hello Splunkers ,

I have created a script and places in 

 

 

 

<splunk_home>/etc/apps/search/bin/seq.py

 

 

 

 

Below is the script for it

 

 

 

import splunklib.client as client
# Splunk connection details
HOST = "localhost"
PORT = 8089
USERNAME = "admin"
PASSWORD = "changeme"
# Create a Splunk service instance
service = client.connect(
    host=HOST,
    port=PORT,
    username=USERNAME,
    password=PASSWORD
)
# List of specific saved searches to run in sequence
saved_searches_to_run = ['List of Indexes', 'List of Source Types', 'List of Sources']
# Function to run a saved search
def run_saved_search(saved_search_name):
    saved_search = service.saved_searches[saved_search_name]
    job = saved_search.dispatch()
    while not job.is_done():
        pass  # Wait for the job to complete
    # Process the search results here
    results = job.results()
    # Print the raw search results
    print(f"Search results for {saved_search_name}:")
    for result in results:
        print(result)
    print()
# Run the specific saved searches in sequence
for saved_search_name in saved_searches_to_run:
    print("Running saved search:", saved_search_name)
    run_saved_search(saved_search_name)
    print("Completed saved search:", saved_search_name)
    print()

 

 

 

I places the command 
<splunk_home>/etc/apps/search/local/commands.conf


[seq]
filename=seq.py


But when I ran the command in splunk as 

 

 

 

|seq

 

 

 

 

It returns error code External search command 'seq' returned error code 1. .

This sample code works correctly with |test

 

import sys
import splunk.Intersplunk
# Read parameters
name_prefix = sys.argv[1]
# Output data should be a list of dictionary like this
data = [{'name': 'xyz', 'age': 23}, {'name': 'abc', 'age': 24}]  # Corrected the syntax
for record in data:
    record['name'] = name_prefix + record['name']
# Use the `outputResults` function from `splunk.Intersplunk` to send the data back to Splunk
splunk.Intersplunk.outputResults(data)

 



Should splunk SDK be installed?

This is a single instance splunk 

Labels (1)
Tags (1)
0 Karma

power12
Communicator

Does anyone have any idea on how to do it?

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...