Splunk Search

Splunk Custom Search Commands: How can I write the generator.py script so that it calls the script.py?

siu
Loves-to-Learn

Hi everyone,

I have a script.py which requires one argument to run normally, for eg. script.py D:\Downloads\12-Dec-2022\1234\

I am intending to create a custom search command so that I can have a Splunk Dashboard GUI which allows the user to input the file path i.e D:\Downloads\12-Dec-2022\1234\ and then it will run in the backend this --> script.py D:\Downloads\12-Dec-2022\1234\ and generate a csv file in which I will use the splunk search command to format the data. 

My question would be how can I write the generator.py script so that it calls the script.py 

I have a template I found:

 

 

 

 

#!/usr/bin/env python

import sys
import os

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib"))
from splunklib.searchcommands import \
    dispatch, GeneratingCommand, Configuration, Option, validators

@Configuration()
class %(command.title())Command(GeneratingCommand):
    """ %(synopsis)

    ##Syntax

    %(syntax)

    ##Description

    %(description)

    """
    def generate(self):
       # Put your event  code here

       # To connect with Splunk, use the instantiated service object which is created using the server-uri and
       # other meta details and can be accessed as shown below
       # Example:-
       #    service = self.service

       pass

dispatch(%(command.title())Command, sys.argv, sys.stdin, sys.stdout, __name__)

 

 

 

 

 

However, I am not sure like how to write it such that this command will accept an argument (eg. file path inputted by the user)

So how I Forsee it is I have 3 things

1. Custom search command named mycommand
2. my own script.py which accepts one argument (a file path) use to run and generate stats 
3. Splunk search command


So once I have the custom search command mycommand

I can use it in splunk search 
| mycommand <user input> 

something like that..however writing the custom search command am not sure how to make it accept an argument inputted for the user in the splunk gui. can anyone help please?

Labels (1)
0 Karma

siu
Loves-to-Learn

Hi @PaulPanther  any updates?

0 Karma

siu
Loves-to-Learn

is there anything else to change/add?

0 Karma

PaulPanther
Motivator

Just declare the field in the class like

filename = Option(require=True)

 

and then assign the user input as a variable to a new variable e.g.

filename = self.filename

sample code:

#!/usr/bin/env python

import sys
import os

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib"))
from splunklib.searchcommands import \
    dispatch, GeneratingCommand, Configuration, Option, validators

@Configuration()
class %(command.title())Command(GeneratingCommand):
    filename = Option(require=True)

    def generate(self):
       filename = self.filename
       # Put your event  code here

       # To connect with Splunk, use the instantiated service object which is created using the server-uri and
       # other meta details and can be accessed as shown below
       # Example:-
       #    service = self.service

       pass

dispatch(%(command.title())Command, sys.argv, sys.stdin, sys.stdout, __name__)

 

0 Karma

siu
Loves-to-Learn
# Import the necessary modules
import splunklib.searchcommands as searchcommands
import subprocess

# Define a custom search command class
class MyCustomCommand(searchcommands.GeneratingCommand):

    # Define any options for your custom command
    filepath = searchcommands.Option(
        doc='''
        **Syntax:** **filepath=***<filepath>*
        **Description:** Path to the file to be processed by the Python script''',
        require=True, validate=validators.Fieldname())

    # Define the fields that your command will output
    @staticmethod
    def output_schema():
        return {'_time': searchcommands.DateTimeField(), 'output_field_1': searchcommands.StringField()}

    # Define the logic for your custom command
    def generate(self):
        # Call the Python script with the specified filepath as an argument
        result = subprocess.run(["python", "path/to/your/script.py", self.filepath], stdout=subprocess.PIPE)

        # Parse the output of the Python script
        output = result.stdout.decode().strip()

        # Create a new output record with the output of the Python script and the current timestamp
        output_record = {'_time': self._time, 'output_field_1': output}

        # Yield the output record to Splunk
        yield output_record

# Register the custom command with Splunk
dispatch(MyCustomCommand, sys.argv, sys.stdin, sys.stdout, __name__)


Thanks for your reply @PaulPanther 

From your code I inspired to generate this code above

0 Karma

siu
Loves-to-Learn

Hi @PaulPanther , with the inspired code above it still doesn't work, any help is much appreciated 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...