Re: Splunk rest api , if hostname matched

burakatabay · ‎09-22-2020

Hi,
I try to if saved search result hostname is matched, reload deploy-server with rest API. But When saved search runs, the deploy server is reloading every time. My saved search cron schedule 5 minutes periods work.
There is a deploy server reload every 5 minutes.
How I do, if hostname is matched , reload deploy server.

My savedsearches.conf

[Syslog New Source Monitor]
action.syslogmonitor = 1
alert.digest_mode = 0
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = */5 * * * *
dispatch.earliest_time = -5m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = index=inotify \
| rex field=_raw "ISDIR\s(?<path>.+)" \
| eval orig_path="/var/log/splunk/syslog/" \
| eval new_path=orig_path . path \
| stats count by host new_path \
| eval API = case(host=="splunk-sch", \
[| rest /services/deployment/server/serverclasses//HF%201/reload],host=="splunkfwd", \
[| rest /services/deployment/server/serverclasses//HF%202/reload], 1=1, 0)

No result doesnt come back but case statement is running.

richgalloway · ‎09-22-2020

The problem lies in the final eval.

| eval API = case(host=="splunk-sch", \
[| rest /services/deployment/server/serverclasses//HF%201/reload],host=="splunkfwd", \
[| rest /services/deployment/server/serverclasses//HF%202/reload], 1=1, 0)

The square brackets around each rest command denote a subsearch and subsearches (almost) always execute first. Therefore, the reload command is running before any conditions are tested.

SPL doesn't have conditional execution like programming languages do. You may be able to work around that this way, however.

| eval API = case(host=="splunk-sch", 
"\| rest /services/deployment/server/serverclasses//HF%201/reload",host=="splunkfwd", 
"\| rest /services/deployment/server/serverclasses//HF%202/reload", 1=1, "noop")
| map search="$API$"

I have to ask, however, what you are trying to accomplish. Reload the deployment server is not a routine task. It's something that is necessary only when the serverclass.conf file is modified. What is the problem you are trying to solve with this search?

---
If this reply helps you, Karma would be appreciated.

burakatabay · ‎09-23-2020

Hi @richgalloway

Thank you for answers.

Firstly;

if any result doesn't come back, splunk search is fail.

Secondly;

if any result come back, rest doesn't running.

The reason why I want to do this is that, I want this custom alert action python script to trigger when there is a new Syslog added to SplunkHF, the script would add the newly discovered Syslog paths onto the deployment_apps inputs.conf to monitor those new paths and then send the deployed app towards the splunkHF. I have added the correct information to inputs.conf, Incase any results are returned I just want to Reload the related server class.

Happy Splunking.

Splunk rest api , if hostname matched

eval

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?