Splunk Search

How to create custom command search?

lnn2204
Path Finder

Hi guys, I'm using splunk 8.0

I want to create a command that can send some infos to another via web or api. I read the Dev page but hard to understand. Do you know some easy script?

Like I have an table after search

a b c Action
312 213 13 1
13 123 46 0

When Action=1, the script will send info {a:1,b:213,c:13} to another platform, exp: send message to telegram. 

 

 

 

<basesearch>
| where action=1
| sendinfo a,b,c

 

 

 

Labels (1)
0 Karma
1 Solution

shivanshu1593
Builder

I'm hoping that you have done part of setting up commands.conf and metadata for your custom command. The error that you are seeing down to the fact that the field records is None type, meaning it contains no values and you cannot iterate over None type. Looks like you are not able to pass the data from your SPL to your custom command. Also, you are doing the get request, when you want to send (post) the data instead. Try the following (off the top of my head. May have some bugs that you can fix):

 

 

from __future__ import absolute_import, division, print_function, unicode_literals
import os,sys
import time

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
import requests

@Configuration()
class GenerateTextCommand(StreamingCommand):

    fieldname = Option(
        doc='''
        **Syntax:** **fieldname=***<fieldname>*
        **Description:** Name of the field that will hold the session_key''',
        require=True, validate=validators.Fieldname())

    def stream(self,records):
        for record in records:
                fields = self.fieldnames
                i = record[fields[0]]
                botURL = "https://api.telegram.org/botTOKEN/sendMessage?chat_id=CHAT_ID&text="+str(i)
                r = requests.post(botURL)
                record[self.fieldname] = r
                yield record

dispatch(GenerateTextCommand, sys.argv, sys.stdin, sys.stdout, __name__)

 

 

 

Please make sure that you run your custom command in the search

 (This will return the value of r. You may wish to format it once it works):

 

 

| yourcustomcommand fieldname=events_sent

 

 

 

Hope this helps,

###If it helps, please consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

shivanshu1593
Builder

You can watch @techiesid YouTube channel to create your custom command

https://www.youtube.com/watch?v=tTfEv5fLZEs

 

###If it helps. Kindly consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

lnn2204
Path Finder

One more question, I just want to out the value of fields, then send it. So which command should i create? (Streaming, Generating, Transforming or something else). Because I'm using Streaming and it return error: TypeError at "/opt/splunk/etc/apps/testCommand/bin/splunklib/searchcommands/internals.py", line 573 : 'NoneType' object is not iterable

 

This is my command:

from __future__ import absolute_import, division, print_function, unicode_literals
import os,sys
import time

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
import requests

@Configuration()
class GenerateTextCommand(StreamingCommand):
    def stream(self,records):
        for record in records:
                fields = self.fieldnames
                i = record[fields[0]]
                botURL = "https://api.telegram.org/botTOKEN/sendMessage?chat_id=CHAT_ID&text="+str(i)
                r = requests.get(botURL)

dispatch(GenerateTextCommand, sys.argv, sys.stdin, sys.stdout, __name__)
0 Karma

shivanshu1593
Builder

I'm hoping that you have done part of setting up commands.conf and metadata for your custom command. The error that you are seeing down to the fact that the field records is None type, meaning it contains no values and you cannot iterate over None type. Looks like you are not able to pass the data from your SPL to your custom command. Also, you are doing the get request, when you want to send (post) the data instead. Try the following (off the top of my head. May have some bugs that you can fix):

 

 

from __future__ import absolute_import, division, print_function, unicode_literals
import os,sys
import time

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
import requests

@Configuration()
class GenerateTextCommand(StreamingCommand):

    fieldname = Option(
        doc='''
        **Syntax:** **fieldname=***<fieldname>*
        **Description:** Name of the field that will hold the session_key''',
        require=True, validate=validators.Fieldname())

    def stream(self,records):
        for record in records:
                fields = self.fieldnames
                i = record[fields[0]]
                botURL = "https://api.telegram.org/botTOKEN/sendMessage?chat_id=CHAT_ID&text="+str(i)
                r = requests.post(botURL)
                record[self.fieldname] = r
                yield record

dispatch(GenerateTextCommand, sys.argv, sys.stdin, sys.stdout, __name__)

 

 

 

Please make sure that you run your custom command in the search

 (This will return the value of r. You may wish to format it once it works):

 

 

| yourcustomcommand fieldname=events_sent

 

 

 

Hope this helps,

###If it helps, please consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

lnn2204
Path Finder

Thank you, because it's  streaming command, so i need to but things back to the result. And I found the way 😄 thanks.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...