Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Passing Variables OR Writing to a file

username9000
New Member
‎12-28-2012 10:45 AM

Greetings,

I am trying to output an IP address from a search to a script. My goal is to have the search call a script to block IP it finds. Below is my search and an example of its results.

 My Search: host="192.168.4.1" UTM5 Login failed: | stats count by src_ip | where count >3 | return src_ip

 Returns: src_ip="192.168.4.23"

How do I pass the src_ip from my search to a script I am calling? Or do I have to write it to a separate file?

0 Karma
Reply

jonuwz
Influencer
‎12-28-2012 01:59 PM

Hi.

This isn't a very detailed answer, but hopefully will be of some help.

What you're doing would normally run as a scheduled search, when you run a scheduled search, you can create an alert on it based on the results.

So if you have a saved search defined as :

host="192.168.4.1" UTM5 Login failed: | stats count by src_ip | where count >3 | fields src_ip

and have an alert condition 'where number of results > 0'

Then your script (in <splunk install dir>/bin/scripts) will run and do whatever you want it to do.

Your script will be passed several arguments.

The 8th arg will be the filename that contains the raw results - this will be gzipped.

So you're script will probably look something like :

#!/usr/bin/bash
gunzip -c $8 | tail -n +2 | while read ip;do
   block $ip
done
0 Karma
Reply

jonuwz
Influencer
‎01-04-2013 08:46 AM

Possibly you could use script but I have no experience with that.

0 Karma
Reply

username9000
New Member
‎01-03-2013 06:32 AM

Thx for your help. Is there any direct way to pass the IP address to the script? or is outputting the results to a file and then having the a script search said file the only way? I'm thinking more a programming way which is probably inapplicable.

0 Karma
Reply

username9000
New Member
‎12-28-2012 12:14 PM

I have figured out how to output the IP to a text file via

 host="192.168.4.1" UTM5 Login failed: | stats count by src_ip | where count >3 | return src_ip | outputtext usexml=false | rename _xml as raw | fields - raw, _raw | outputcsv results.txt

But am still looking to pass the IP from the search directly into the script that will run. The variables found below do not put out any using formation.

http://docs.splunk.com/Documentation/Splunk/5.0.1/Alert/Configuringscriptedalerts

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...