- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings-
I'm putting together a dashboard query that shows uid's and systems as a result. I would like to resolve that uid to a username, so the the dashboard output will be username and system. I have written a python script that when passed uid will return the username. What I'm stumbling with is calling it correctly and using the output. I've tried calling it as a script and a lookup, verified it is running but can't get it to do what I want. Can someone give me a shove in the right direction please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mullica1,
The best way to do is create a lookup file that contains all uid, system and usernames. You can update this lookup using your script with crontab. And use that lookup at the end of your dashboard search like below sample;
Lookup file sample;
uid_lookup.csv
uid,system,username
1001,host1,user1| lookup uid_lookup.csv uid system OUTPUT username
| table username system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An external lookup should do the job. Have you looked at https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Configureexternallookups ?
Please explain what you want it to do and what it is actually doing.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks I'll check the link, I've read till my eyes have bled.
Here's what I'm doing. A dashboard query similar to
sourcetype=linux_audit............. | stats by uid,host
which gives me a table of uid and hosts. Unfortunately the audit records in question don't have the user account name, just the uid. What I want to do is turn that table into user, host by passing the uid's to a python script like
import sys
import pwd
arg=int(sys.argv[1])
results=pwd.getpwuid(arg).pw_name
print(results)
My python scripts works as expected and I can call it from the command line with the expected results. I made an entry in transforms.conf.
what's tripping me up is how to invoke it correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One cannot invoke an ordinary Python script from SPL. There is a protocol that Splunk uses to communicate with the script. Learn more at dev.splunk.com.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mullica1,
The best way to do is create a lookup file that contains all uid, system and usernames. You can update this lookup using your script with crontab. And use that lookup at the end of your dashboard search like below sample;
Lookup file sample;
uid_lookup.csv
uid,system,username
1001,host1,user1| lookup uid_lookup.csv uid system OUTPUT username
| table username system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only issue with that from what I see is if there is no value in the table for uid lookup, then nothing is returned. Which means that possibly an unresolved audit record will not be shown in the table. I was going to enhance my python script to return the uid if the lookup was unsuccessful, so at least the unresolved uid would be shown in the query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just proved myself wrong, I can user coalesce.
eval account=coalesce(account,uid)
if not found it will just list the uid. Thanks.
