- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Passing Variables OR Writing to a file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Passing Variables OR Writing to a file
Greetings,
I am trying to output an IP address from a search to a script. My goal is to have the search call a script to block IP it finds. Below is my search and an example of its results.
My Search: host="192.168.4.1" UTM5 Login failed: | stats count by src_ip | where count >3 | return src_ip
Returns: src_ip="192.168.4.23"
How do I pass the src_ip from my search to a script I am calling? Or do I have to write it to a separate file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
This isn't a very detailed answer, but hopefully will be of some help.
What you're doing would normally run as a scheduled search, when you run a scheduled search, you can create an alert on it based on the results.
So if you have a saved search defined as :
host="192.168.4.1" UTM5 Login failed: | stats count by src_ip | where count >3 | fields src_ip
and have an alert condition 'where number of results > 0'
Then your script (in <splunk install dir>/bin/scripts) will run and do whatever you want it to do.
Your script will be passed several arguments.
The 8th arg will be the filename that contains the raw results - this will be gzipped.
So you're script will probably look something like :
#!/usr/bin/bash
gunzip -c $8 | tail -n +2 | while read ip;do
block $ip
done
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possibly you could use script but I have no experience with that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx for your help. Is there any direct way to pass the IP address to the script? or is outputting the results to a file and then having the a script search said file the only way? I'm thinking more a programming way which is probably inapplicable.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have figured out how to output the IP to a text file via
host="192.168.4.1" UTM5 Login failed: | stats count by src_ip | where count >3 | return src_ip | outputtext usexml=false | rename _xml as raw | fields - raw, _raw | outputcsv results.txt
But am still looking to pass the IP from the search directly into the script that will run. The variables found below do not put out any using formation.
http://docs.splunk.com/Documentation/Splunk/5.0.1/Alert/Configuringscriptedalerts
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
