Splunk Search

search with value from setup.xml

klee310
Communicator

I have a setup.xml and a myappsetup.conf all setup properly (lets make that assumption for now, still many bugs to iron out). From within myappsetup.conf, there is a field called order_transaction_min_count and I want to use this field in my searches.

For example:

search eventtype="Orders" | transaction fields="OrderNumber" | search count<order_transaction_min_count

Is this correct? Or am I missing something here?

Tags (1)
0 Karma
1 Solution

LukeMurphey
Champion

In the past, I have achieved this functionality using macros. Just have your Python endpoint write out an entry in macros.conf:

# Add the definition
confMacro = {}
confMacro["definition"] = "10"

# Write out the conf file
self.writeConf("macros", "order_transaction_min_count", confMacro)

The resulting macros.conf should look something like (in local/macros.conf):

[order_transaction_min_count]
definition=10

Then, update your searches to use the macro:

search eventtype="Orders" | transaction fields="OrderNumber" | search count<`order_transaction_min_count`

Make sure to include a default value for the macro under the default directory (default/macros.conf) so that you can avoid a warning if the user did not override it with their own value.

View solution in original post

0 Karma

klee310
Communicator

thanks LukeMurphey

Actually, I have gone with another route. Instead of using macros, I wrote a custom command which reads the the configuration dictionary with:

splunk.clilib.cli_common.getConfStanza("myappconfig", "setupentity")

and also reading the first argument to my command using:

sys.argv[1]

I was able to extract the information i needed and perform the custom search within the script. so now, my final search command would look something like this:

search eventtype="Orders" | transaction fields="OrderNumber" | mycustomcommand order_transaction_min_count

Thanks for your reply anyways.

0 Karma

LukeMurphey
Champion

In the past, I have achieved this functionality using macros. Just have your Python endpoint write out an entry in macros.conf:

# Add the definition
confMacro = {}
confMacro["definition"] = "10"

# Write out the conf file
self.writeConf("macros", "order_transaction_min_count", confMacro)

The resulting macros.conf should look something like (in local/macros.conf):

[order_transaction_min_count]
definition=10

Then, update your searches to use the macro:

search eventtype="Orders" | transaction fields="OrderNumber" | search count<`order_transaction_min_count`

Make sure to include a default value for the macro under the default directory (default/macros.conf) so that you can avoid a warning if the user did not override it with their own value.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...