Splunk Search

Passing search results to external python script

utpress
Engager

I know it's just my lack of knowledge with Splunk causing me some grief here but...

I want to pass search results to an external python script.

Here is my search:

sourcetype="*WinEventLog:Security" (EventCode=528 OR EventCode=4624) AND Logon_Type=10 | eval event_date = strftime(_time, "%D %T %P") | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | script python alogin User Source_Network_Address host

My python script merely sends me an email with what I thought would be the field values I passed (User, Source_Network_Address and host).

But I'm actually getting the words "User", "Source_Network_Address" and "Host" in the email.

Of course I tested the script and if I run the script - "python alogin.py nicholas 10.0.10.99 SERVER" it works and I'm sent an email with the three values passed as expected.

What am I missing here?

Thanks in advance.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...