Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Please help - passing search results to OO/best way to get to Splunk search results from OO

merritsa
Path Finder
‎08-20-2010 02:23 PM

Hi,

Long story short I'd like to know if it's possible to pass search results through a script to another system (HP's Operations Orchestration in this case)? I've seen from this link:

http://www.splunk.com/base/Documentation/latest/Admin/Configurescriptedalerts

That you can pass just about everything but the actual results through. It looks like the best thing to do is have HP OO go and read the file that splunk creates, but it's a gz file isn't it? I think OO can read csv, but not so sure about gz.

Any suggestions on how to do this? Here's our use case:

Splunk runs a scheduled search on /32 route withdrawn messages. This catches circuit bounces for to any non-redundant sites and forwards them on (currently) to our HP Network Node Manager iseries application. Problem is, all that does is bascially say "Hey go look at splunk/your email to see why I alerted."

With HP OO, I am able to directly generate an incident in HP NNMi complete with correct source node and everything. HP OO is also able to parse data before it does this, which I'd like it to do. But it needs the data in the first place.

Thanks!

Scott

Tags (1)
0 Karma
Reply

ziegfried
Influencer
‎08-22-2010 11:24 AM

Here is a simple python script that can be used to process the results:

#!/usr/bin/python
import sys,os,re,datetime,gzip,csv

count,search,fq_search,title,reason,url,not_used,result_file = sys.argv[1:9]

f = gzip.open(result_file)
csv = csv.DictReader(f)
for row in csv:
    # process result here - use row['fieldname'] to access the fields
    pass
Reply

merritsa
Path Finder
‎08-23-2010 02:26 PM

Thank you all for the help! I will try this.

0 Karma
Reply

briang67
Communicator
‎08-20-2010 07:40 PM

We've done this to get traps to our fault management system - EMC Smarts.

We execute a perl script referencing $8 which is the results file path. We do a zcat to expand the file and then use the Text::xSV module to parse the resulting csv so that we can break the fields into variables that can be mapped to varbinds passed as part of the net-snmp sendtrap command.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-20-2010 03:25 PM

Your script can open and read the file, take whatever results or fields it needs, and then pass them on to HP OO using whatever mechanism is available. Note that you're given the file because there is no way for us to know ahead of time how many results there will be or what fields will be there.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...