I know it's just my lack of knowledge with Splunk causing me some grief here but...
I want to pass search results to an external python script.
Here is my search:
sourcetype="*WinEventLog:Security" (EventCode=528 OR EventCode=4624) AND LogonType=10 | eval eventdate = strftime(time, "%D %T %P") | eval User = if(isnull(AccountName), UserName, mvindex(AccountName,1)) | script python alogin User SourceNetworkAddress host
My python script merely sends me an email with what I thought would be the field values I passed (User, SourceNetworkAddress and host).
But I'm actually getting the words "User", "SourceNetworkAddress" and "Host" in the email.
Of course I tested the script and if I run the script - "python alogin.py nicholas 10.0.10.99 SERVER" it works and I'm sent an email with the three values passed as expected.
What am I missing here?
Thanks in advance.
I have a similar requirement of passing search results as arguments to a python script. Has anyone been able to workaround this problem ?
your script must import
splunk.Intersplunk and use the following two lines to read results from previous searches:
myresults,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() # getting search results form Splunk for r in myresults: # loop the results
Hope that helps ...
I tried to import Intersplunk, but it can't find the import (the module cannot be found). Is there a special download that you need other than the SDK? Also, if you can direct me to more information on this module that would be wonderful! I have not been able to find any documentation so far.
Try to run this on your Splunk server (assuming it's linux) :
/opt/splunk/bin/splunk cmd python -c "import splunk.Intersplunk"
This will not fail. Remember to use Splunk's Python in your script and not the OS one located in
You can find some documentations here http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Writeasearchcommand and here http://dev.splunk.com/view/python-sdk/SP-CAAAEU2
Hope this helps ...
I thought that Intersplunk could change the event data when it is output (and not just display). I have done this and nothing has changed. Is this possible, or do I have to find another way to do this?
Thanks again for your help!
@annalisefolsen , I don't know what you are trying to achieve - but if you look at this example here http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Customsearchcommandshape you will learn how to pass a Splunk search result into a python script, do stuff with the result and return it into Splunk.
This isn't the "right" way to do this, but it is the most expedient and it allows you to recycle your traditional alert script for use in regular searches, too. This example assumes that you will be passing 2 fields to the scirpt:
host; you will need to adjust slightly for the fields that you will be using.
Insert this code to your MyAlertScript.py code right before your existing code that accesses the
results.csv.gz file in
# In order to facilitate Event Workflow Actions using runshellscript, # we will hijack the arguments in one special case as follows: # 1(sys.argv) = '1' # 2(sys.argv) = '"<src_ip>","<host>"' # 3(sys.argv) = 'Hack' # 4(sys.argv) = 'to' # 5(sys.argv) = 'run' # 7(sys.argv) = 'from' # 6(sys.argv) = 'runshellscript' # 8(sys.argv) = * <- DO NOT CHECK because splunk modifieds this on the way in # If in this format we will pull the data directly out of the 2nd argument, # instead of out of the restults file. specialCase = False # initialize to FALSE if ((sys.argv == '1') and (sys.argv == 'Hack') and (sys.argv == 'to') and (sys.argv == 'run') and (sys.argv == 'from') and (sys.argv == 'runshellscript')): print "SPECIAL CASE!\n" # Special case! specialCase = True # make sure we delete this file at the end! fnz = workdir + 'results.csv.gz' with gzip.open(fnz, 'wb') as OFH: OFH.write('src_ip,host\n') OFH.write(sys.argv) OFH.close() sys.argv = fnz #print "SPECIAL CASE: ARGV8=<" + sys.argv + "> fnz=<" + fnz + ">\n"
Then at the bottom, add this, too:
if (specialCase): os.remove(sys.argv) # delete fake zip file we made
Next you need a macro like this (to abstract away the trickery):
[MyScript] definition = table src_ip host\ | map maxsearches=5000 search="|runshellscript MyAlertScript.py 1 \"\\\"\\\"$src_ip$\\\",\\\"$host$\\\"\\\"\" Hack to run from runshellscript 8" iseval = 0
Now, to use it, you just do this:
My Search To Get Events With src_ip And host Here | `MyScript`
SPECIAL WARNING! This will not scale nicely if you pass a large number of results to the script because of the
map command but it works GREAT for small numbers of events.