Splunk Search

Passing search results to external python script

utpress
Engager

I know it's just my lack of knowledge with Splunk causing me some grief here but...

I want to pass search results to an external python script.

Here is my search:

sourcetype="*WinEventLog:Security" (EventCode=528 OR EventCode=4624) AND Logon_Type=10 | eval event_date = strftime(_time, "%D %T %P") | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | script python alogin User Source_Network_Address host

My python script merely sends me an email with what I thought would be the field values I passed (User, Source_Network_Address and host).

But I'm actually getting the words "User", "Source_Network_Address" and "Host" in the email.

Of course I tested the script and if I run the script - "python alogin.py nicholas 10.0.10.99 SERVER" it works and I'm sent an email with the three values passed as expected.

What am I missing here?

Thanks in advance.

thambisetty
SplunkTrust
SplunkTrust

created an add-on which will call python script with result file.

you should have python/shell script in the bin directory to be called by this script with results.

I will post this add-on to splunk base soon.

————————————
If this helps, give a like below.
0 Karma

suryaavinash
Explorer

Hi ,

I have a similar requirement and came across below solution from a different post. Check if it helps.

https://answers.splunk.com/answers/149836/how-to-run-an-alert-script-on-field-values-generated-in-sp...

0 Karma

woodcock
Esteemed Legend

This isn't the "right" way to do this, but it is the most expedient and it allows you to recycle your traditional alert script for use in regular searches, too. This example assumes that you will be passing 2 fields to the scirpt: scr_ip and host; you will need to adjust slightly for the fields that you will be using.

Insert this code to your MyAlertScript.py code right before your existing code that accesses the results.csv.gz file in argv[8]:

# In order to facilitate Event Workflow Actions using runshellscript,
# we will hijack the arguments in one special case as follows:
#    1(sys.argv[1]) = '1'
#    2(sys.argv[2]) = '"<src_ip>","<host>"'
#    3(sys.argv[3]) = 'Hack'
#    4(sys.argv[4]) = 'to'
#    5(sys.argv[5]) = 'run'
#    7(sys.argv[6]) = 'from'
#    6(sys.argv[7]) = 'runshellscript'
#    8(sys.argv[8]) = * <- DO NOT CHECK because splunk modifieds this on the way in
# If in this format we will pull the data directly out of the 2nd argument,
# instead of out of the restults file.
specialCase = False # initialize to FALSE
if ((sys.argv[1] == '1') and (sys.argv[3] == 'Hack') and (sys.argv[4] == 'to') and
    (sys.argv[5] == 'run') and (sys.argv[6] == 'from') and
    (sys.argv[7] == 'runshellscript')):
    print "SPECIAL CASE!\n" # Special case!
    specialCase = True # make sure we delete this file at the end!

    fnz = workdir + 'results.csv.gz'
    with gzip.open(fnz, 'wb') as OFH:
       OFH.write('src_ip,host\n')
       OFH.write(sys.argv[2])
    OFH.close()

    sys.argv[8] = fnz
    #print "SPECIAL CASE: ARGV8=<" + sys.argv[8] + "> fnz=<" + fnz + ">\n"

Then at the bottom, add this, too:

if (specialCase): os.remove(sys.argv[8]) # delete fake zip file we made

Next you need a macro like this (to abstract away the trickery):

[MyScript]
definition = table src_ip host\
| map maxsearches=5000 search="|runshellscript MyAlertScript.py 1 \"\\\"\\\"$src_ip$\\\",\\\"$host$\\\"\\\"\" Hack to run from runshellscript 8"
iseval = 0

Now, to use it, you just do this:

My Search To Get Events With src_ip And host Here | `MyScript`

SPECIAL WARNING! This will not scale nicely if you pass a large number of results to the script because of the map command but it works GREAT for small numbers of events.

0 Karma

srinivasup
Explorer

can you MyAlertScript.py full code for reference.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi utpress,

your script must import splunk.Intersplunk and use the following two lines to read results from previous searches:

myresults,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() # getting search results form Splunk
for r in myresults: # loop the results

Hope that helps ...

cheers, MuS

annalisefolsen
Explorer

Hi MuS,

I thought that Intersplunk could change the event data when it is output (and not just display). I have done this and nothing has changed. Is this possible, or do I have to find another way to do this?

Thanks again for your help!

0 Karma

MuS
SplunkTrust
SplunkTrust

@annalisefolsen , I don't know what you are trying to achieve - but if you look at this example here http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Customsearchcommandshape you will learn how to pass a Splunk search result into a python script, do stuff with the result and return it into Splunk.

0 Karma

annalisefolsen
Explorer

Hi MuS,

I tried to import Intersplunk, but it can't find the import (the module cannot be found). Is there a special download that you need other than the SDK? Also, if you can direct me to more information on this module that would be wonderful! I have not been able to find any documentation so far.

Thank you!

0 Karma

MuS
SplunkTrust
SplunkTrust

@annalisefolsen,

Try to run this on your Splunk server (assuming it's linux) :

 /opt/splunk/bin/splunk cmd python -c "import splunk.Intersplunk"

This will not fail. Remember to use Splunk's Python in your script and not the OS one located in /usr/bin/.
You can find some documentations here http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Writeasearchcommand and here http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Hope this helps ...

cheers, MuS

annalisefolsen
Explorer

Thank you. I've run it in Splunk and it is now able to find module.

0 Karma

sanurd
Path Finder

I have a similar requirement of passing search results as arguments to a python script. Has anyone been able to workaround this problem ?

0 Karma

dcparker
Path Finder

Had any luck with this?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...