Splunk Search

Python alert script to show the search result values

harish_ka
Communicator

Can someone please help me with a python script to display the values of search results.
i have been trying but not able to write a script for this.
Do we need to do any other settings??

Tags (3)
0 Karma
1 Solution

jplumsdaine22
Influencer

If you want to run a script from a saved search, check out:
http://docs.splunk.com/Documentation/Splunk/6.3.1/alert/ConfiguringScriptedAlerts

You'll need to parse out the results from a file, the filename is provided as the 9th argument to the script.

View solution in original post

jplumsdaine22
Influencer

If you want to run a script from a saved search, check out:
http://docs.splunk.com/Documentation/Splunk/6.3.1/alert/ConfiguringScriptedAlerts

You'll need to parse out the results from a file, the filename is provided as the 9th argument to the script.

harish_ka
Communicator

Yes i am trying with the following script:

!C:/Program Files/Splunk/bin/python

import sys, csv

def openany(p):

if  p.endswith(".gz"):
    import gzip
    return gzip.open(p)

else:
    return open(p)

results_file = sys.argv[9]
for result in csv.DictReader(openany(results_file)):

Do whatever action with your results ...

print results["_raw"]

But its not working 😞

Can you help me with this??

0 Karma

jplumsdaine22
Influencer

Test your script first.

Run your script manually against any results.csv.gz file (you can find them in $SPLUNK_HOME/var/run/splunk/dispatch/ )

eg
python pyalert.py 0 1 2 3 4 5 6 7 ./results.csv.gz

You should get a stacktrace from python telling you whats going wrong. I can't tell you 100% from looking at your code but I'm guessing you're missing an indent in the final for loop, and 'results' is not defined anywhere

This might work better:

for result in csv.DictReader(openany(results_file)):
           print result
0 Karma

harish_ka
Communicator

Yes it worked 🙂
Thanks a lot @jplumsdaine22 & @jeffland

0 Karma

jeffland
SplunkTrust
SplunkTrust

@jplumsdaine22, you can format your text almost any way you like when you use the code mode:

leave one line blank and indent by four spaces
  and then
                             you can indent as much as you like
                             and have monospaced font

dart
Splunk Employee
Splunk Employee

Can you elaborate on what your final goal is here? Are you using Splunk 6.3 or an earlier release?

0 Karma

harish_ka
Communicator

i need to print (to a file) the search results when the alert is triggered, lets say i have 3 columns in the search results, i need to send the result values of these 3 columns to another file .

I am now trying in 6.3 version (trial version), but i will be implementing in 6.2 version. Is there any changes in scripts or functionalities when we use latest version of splunk??

0 Karma
Get Updates on the Splunk Community!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Professionals: Build Resilience and Visibility with These .conf25 ...

  If you're focused on performance, availability, and full-stack visibility, the Observability track at ...

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...