Splunk Search
Highlighted

Passing search results to external python script

Engager

I know it's just my lack of knowledge with Splunk causing me some grief here but...

I want to pass search results to an external python script.

Here is my search:

sourcetype="*WinEventLog:Security" (EventCode=528 OR EventCode=4624) AND LogonType=10 | eval eventdate = strftime(time, "%D %T %P") | eval User = if(isnull(AccountName), UserName, mvindex(AccountName,1)) | script python alogin User SourceNetworkAddress host

My python script merely sends me an email with what I thought would be the field values I passed (User, SourceNetworkAddress and host).

But I'm actually getting the words "User", "SourceNetworkAddress" and "Host" in the email.

Of course I tested the script and if I run the script - "python alogin.py nicholas 10.0.10.99 SERVER" it works and I'm sent an email with the three values passed as expected.

What am I missing here?

Thanks in advance.

Highlighted

Re: Passing search results to external python script

Path Finder

Had any luck with this?

0 Karma
Highlighted

Re: Passing search results to external python script

Explorer

I have a similar requirement of passing search results as arguments to a python script. Has anyone been able to workaround this problem ?

0 Karma
Highlighted

Re: Passing search results to external python script

SplunkTrust
SplunkTrust

Hi utpress,

your script must import splunk.Intersplunk and use the following two lines to read results from previous searches:

myresults,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() # getting search results form Splunk
for r in myresults: # loop the results

Hope that helps ...

cheers, MuS

Highlighted

Re: Passing search results to external python script

Explorer

Hi MuS,

I tried to import Intersplunk, but it can't find the import (the module cannot be found). Is there a special download that you need other than the SDK? Also, if you can direct me to more information on this module that would be wonderful! I have not been able to find any documentation so far.

Thank you!

0 Karma
Highlighted

Re: Passing search results to external python script

SplunkTrust
SplunkTrust

@annalisefolsen,

Try to run this on your Splunk server (assuming it's linux) :

 /opt/splunk/bin/splunk cmd python -c "import splunk.Intersplunk"

This will not fail. Remember to use Splunk's Python in your script and not the OS one located in /usr/bin/.
You can find some documentations here http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Writeasearchcommand and here http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Hope this helps ...

cheers, MuS

Highlighted

Re: Passing search results to external python script

Explorer

Thank you. I've run it in Splunk and it is now able to find module.

0 Karma
Highlighted

Re: Passing search results to external python script

Explorer

Hi MuS,

I thought that Intersplunk could change the event data when it is output (and not just display). I have done this and nothing has changed. Is this possible, or do I have to find another way to do this?

Thanks again for your help!

0 Karma
Highlighted

Re: Passing search results to external python script

SplunkTrust
SplunkTrust

@annalisefolsen , I don't know what you are trying to achieve - but if you look at this example here http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Customsearchcommandshape you will learn how to pass a Splunk search result into a python script, do stuff with the result and return it into Splunk.

0 Karma
Highlighted

Re: Passing search results to external python script

Esteemed Legend

This isn't the "right" way to do this, but it is the most expedient and it allows you to recycle your traditional alert script for use in regular searches, too. This example assumes that you will be passing 2 fields to the scirpt: scr_ip and host; you will need to adjust slightly for the fields that you will be using.

Insert this code to your MyAlertScript.py code right before your existing code that accesses the results.csv.gz file in argv[8]:

# In order to facilitate Event Workflow Actions using runshellscript,
# we will hijack the arguments in one special case as follows:
#    1(sys.argv[1]) = '1'
#    2(sys.argv[2]) = '"<src_ip>","<host>"'
#    3(sys.argv[3]) = 'Hack'
#    4(sys.argv[4]) = 'to'
#    5(sys.argv[5]) = 'run'
#    7(sys.argv[6]) = 'from'
#    6(sys.argv[7]) = 'runshellscript'
#    8(sys.argv[8]) = * <- DO NOT CHECK because splunk modifieds this on the way in
# If in this format we will pull the data directly out of the 2nd argument,
# instead of out of the restults file.
specialCase = False # initialize to FALSE
if ((sys.argv[1] == '1') and (sys.argv[3] == 'Hack') and (sys.argv[4] == 'to') and
    (sys.argv[5] == 'run') and (sys.argv[6] == 'from') and
    (sys.argv[7] == 'runshellscript')):
    print "SPECIAL CASE!\n" # Special case!
    specialCase = True # make sure we delete this file at the end!

    fnz = workdir + 'results.csv.gz'
    with gzip.open(fnz, 'wb') as OFH:
       OFH.write('src_ip,host\n')
       OFH.write(sys.argv[2])
    OFH.close()

    sys.argv[8] = fnz
    #print "SPECIAL CASE: ARGV8=<" + sys.argv[8] + "> fnz=<" + fnz + ">\n"

Then at the bottom, add this, too:

if (specialCase): os.remove(sys.argv[8]) # delete fake zip file we made

Next you need a macro like this (to abstract away the trickery):

[MyScript]
definition = table src_ip host\
| map maxsearches=5000 search="|runshellscript MyAlertScript.py 1 \"\\\"\\\"$src_ip$\\\",\\\"$host$\\\"\\\"\" Hack to run from runshellscript 8"
iseval = 0

Now, to use it, you just do this:

My Search To Get Events With src_ip And host Here | `MyScript`

SPECIAL WARNING! This will not scale nicely if you pass a large number of results to the script because of the map command but it works GREAT for small numbers of events.

0 Karma