Splunk Search

How to create custom command search?

lnn2204
Path Finder

Hi guys, I'm using splunk 8.0

I want to create a command that can send some infos to another via web or api. I read the Dev page but hard to understand. Do you know some easy script?

Like I have an table after search

a b c Action
312 213 13 1
13 123 46 0

When Action=1, the script will send info {a:1,b:213,c:13} to another platform, exp: send message to telegram. 

 

 

 

<basesearch>
| where action=1
| sendinfo a,b,c

 

 

 

Labels (1)
0 Karma
1 Solution

shivanshu1593
Builder

I'm hoping that you have done part of setting up commands.conf and metadata for your custom command. The error that you are seeing down to the fact that the field records is None type, meaning it contains no values and you cannot iterate over None type. Looks like you are not able to pass the data from your SPL to your custom command. Also, you are doing the get request, when you want to send (post) the data instead. Try the following (off the top of my head. May have some bugs that you can fix):

 

 

from __future__ import absolute_import, division, print_function, unicode_literals
import os,sys
import time

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
import requests

@Configuration()
class GenerateTextCommand(StreamingCommand):

    fieldname = Option(
        doc='''
        **Syntax:** **fieldname=***<fieldname>*
        **Description:** Name of the field that will hold the session_key''',
        require=True, validate=validators.Fieldname())

    def stream(self,records):
        for record in records:
                fields = self.fieldnames
                i = record[fields[0]]
                botURL = "https://api.telegram.org/botTOKEN/sendMessage?chat_id=CHAT_ID&text="+str(i)
                r = requests.post(botURL)
                record[self.fieldname] = r
                yield record

dispatch(GenerateTextCommand, sys.argv, sys.stdin, sys.stdout, __name__)

 

 

 

Please make sure that you run your custom command in the search

 (This will return the value of r. You may wish to format it once it works):

 

 

| yourcustomcommand fieldname=events_sent

 

 

 

Hope this helps,

###If it helps, please consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

shivanshu1593
Builder

You can watch @techiesid YouTube channel to create your custom command

https://www.youtube.com/watch?v=tTfEv5fLZEs

 

###If it helps. Kindly consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

lnn2204
Path Finder

One more question, I just want to out the value of fields, then send it. So which command should i create? (Streaming, Generating, Transforming or something else). Because I'm using Streaming and it return error: TypeError at "/opt/splunk/etc/apps/testCommand/bin/splunklib/searchcommands/internals.py", line 573 : 'NoneType' object is not iterable

 

This is my command:

from __future__ import absolute_import, division, print_function, unicode_literals
import os,sys
import time

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
import requests

@Configuration()
class GenerateTextCommand(StreamingCommand):
    def stream(self,records):
        for record in records:
                fields = self.fieldnames
                i = record[fields[0]]
                botURL = "https://api.telegram.org/botTOKEN/sendMessage?chat_id=CHAT_ID&text="+str(i)
                r = requests.get(botURL)

dispatch(GenerateTextCommand, sys.argv, sys.stdin, sys.stdout, __name__)
0 Karma

shivanshu1593
Builder

I'm hoping that you have done part of setting up commands.conf and metadata for your custom command. The error that you are seeing down to the fact that the field records is None type, meaning it contains no values and you cannot iterate over None type. Looks like you are not able to pass the data from your SPL to your custom command. Also, you are doing the get request, when you want to send (post) the data instead. Try the following (off the top of my head. May have some bugs that you can fix):

 

 

from __future__ import absolute_import, division, print_function, unicode_literals
import os,sys
import time

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
import requests

@Configuration()
class GenerateTextCommand(StreamingCommand):

    fieldname = Option(
        doc='''
        **Syntax:** **fieldname=***<fieldname>*
        **Description:** Name of the field that will hold the session_key''',
        require=True, validate=validators.Fieldname())

    def stream(self,records):
        for record in records:
                fields = self.fieldnames
                i = record[fields[0]]
                botURL = "https://api.telegram.org/botTOKEN/sendMessage?chat_id=CHAT_ID&text="+str(i)
                r = requests.post(botURL)
                record[self.fieldname] = r
                yield record

dispatch(GenerateTextCommand, sys.argv, sys.stdin, sys.stdout, __name__)

 

 

 

Please make sure that you run your custom command in the search

 (This will return the value of r. You may wish to format it once it works):

 

 

| yourcustomcommand fieldname=events_sent

 

 

 

Hope this helps,

###If it helps, please consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

lnn2204
Path Finder

Thank you, because it's  streaming command, so i need to but things back to the result. And I found the way 😄 thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...