Splunk Search

why does my custom search command not take quoted string values for args?

awurster
Contributor

just checking if this is true.. given a custom command i write with a single argument:

... | mycommand arg1="this is value 1" arg2="foo"

i do not see the arg's value above returned correctly by intersplunk:

>>> args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
>>> print str(kwargs)
>>> {'arg2': 'foo', 'arg1': 'this'}

is this expected? any way to get around this with a custom search command? i'll be posting search data to a separate service, and need to set some values which of course have spaces in them and require quotes.

1 Solution

awurster
Contributor

update: i ended up kind of abandoning the approach to use that method cause it just wouldn't work. so i just took the whole search command and split it manually myself.

find the details on BitBucket @ https://bitbucket.org/snippets/awurster/ERLbG but here's a preview below:

def getCmdArgs(settings):
    """ usage: jira <action> <args...>
        * action:
        ** create summary=<summary> template_name=<template_name>
        ** update issue=<issue_key> comment=<comment> template_name=<template_name>
    """
    sessionKey = settings['sessionKey']

    search_string, jira_command = settings['search'].rsplit('|',1)
    try:
        search_string = search_string.split('search ')[1]
    except IndexError:
        # if first command is not a "search"
        search_string = search_string.strip()
        first_cmd = search_string.split('|')[1].strip()
    parsed_cmd = re.search('\s+jira\s+(?P<cmd_action>(create|update))\s+(?P<cmd_options>.+)', jira_command).groupdict()
    cmd_action = parsed_cmd['cmd_action'].lower()
    cmd_options = {k:v.strip('"') for k,v in re.findall(r'(\S+)=(".*?"|\S+)', parsed_cmd['cmd_options'])}

View solution in original post

0 Karma

awurster
Contributor

update: i ended up kind of abandoning the approach to use that method cause it just wouldn't work. so i just took the whole search command and split it manually myself.

find the details on BitBucket @ https://bitbucket.org/snippets/awurster/ERLbG but here's a preview below:

def getCmdArgs(settings):
    """ usage: jira <action> <args...>
        * action:
        ** create summary=<summary> template_name=<template_name>
        ** update issue=<issue_key> comment=<comment> template_name=<template_name>
    """
    sessionKey = settings['sessionKey']

    search_string, jira_command = settings['search'].rsplit('|',1)
    try:
        search_string = search_string.split('search ')[1]
    except IndexError:
        # if first command is not a "search"
        search_string = search_string.strip()
        first_cmd = search_string.split('|')[1].strip()
    parsed_cmd = re.search('\s+jira\s+(?P<cmd_action>(create|update))\s+(?P<cmd_options>.+)', jira_command).groupdict()
    cmd_action = parsed_cmd['cmd_action'].lower()
    cmd_options = {k:v.strip('"') for k,v in re.findall(r'(\S+)=(".*?"|\S+)', parsed_cmd['cmd_options'])}
0 Karma

dwaddle
SplunkTrust
SplunkTrust

Expected, maybe not. But, yes, this is how Intersplunk.getKeywordsAndOptions() works. I wound up copypasting it into my own code and making changes in order to handle some of my arguments that needed quotes. If I ever get something worth it sending back, I'll send patches to splunk and hope they make it into a future release.

kamal_jagga
Contributor

@awurster
I am also trying to write a script which takes 2 arguments.

!/dir/splunk/bin/python2.7

iimport sys, time
import splunk.Intersplunk
import getopt
from splunklib.searchcommands import \
dispatch, GeneratingCommand, Configuration, Option, validators
def main(argv):

print("hello")
opts, args = getopt.getopt(argv,["ifile=","ofile="])
for arg in args :
print (arg)
main(sys.argv[1:])

This executes fine from backend if I use the splunk python.

/dir/splunk/bin/splunk cmd python command_test file1 file2

But I am unable to execute it from search bar.

Would you be able to advise anything regarding the script or share some part of your script.

Thank you !!!

0 Karma

awurster
Contributor

i ended up just parsing the argument as one giant string instead and then doing the string splitting inside my own script. will have a search through my code to see if i can find it.

0 Karma

awurster
Contributor

@kamal_jagga - give this example a shot. it's been a while since i've run this version of the script (i kind of abandoned the inline command approach in latest app version). it's mostly using a keyword to do the arg splitting.

https://bitbucket.org/snippets/awurster/ERLbG

any issues and you can ping me awurster@atlassian.com. although ideally, a splunk developer person should be able to chime in here on the conversation.

0 Karma

awurster
Contributor

also, you should consider making your original reply a comment not an answer 😉

0 Karma

kamal_jagga
Contributor

Thanks. My main issue is passing the argument from search to the script.

0 Karma

awurster
Contributor

i guess this is the code we need to override from getKeywordsAndOptions() in ./lib/python2.7/site-packages/splunk/Intersplunk.py

        else:
            # handle case where arg is surrounded by quotes
            # remove outter quotes and accept attr=<anything>
            if arg.startswith('"') and arg.endswith('"'):
                arg = arg[1:-1]
                matches = re.findall('(?:^|\s+)([a-zA-Z0-9_-]+)\\s*(::|==|=)\\s*(.*)', arg)
            else:
                matches = re.findall('(?:^|\s+)([a-zA-Z0-9_-]+)\\s*(::|==|=)\\s*((?:[^"\\s]+)|(?:"[^"]*"))', arg)
0 Karma

awurster
Contributor

cheers @dwaddle. yea maybe i'll have to pull that code out into my script and override the method. seems kind of... counterintuitive...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...