Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bansi
bansi
Path Finder
Member since:
11-24-2010
06-05-2020
Community Statistics
| Posts | 71 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 14 |
| Member Since | 11-24-2010 |
Activity Feed
- Got Karma for Scripted Lookup Script doesn't output to a CSV file. 06-05-2020 12:45 AM
- Got Karma for Search XML data inside Text File. 06-05-2020 12:45 AM
- Got Karma for SQL commands like "IN" or "Exists" is available in Splunk ???. 06-05-2020 12:45 AM
- Got Karma for SQL commands like "IN" or "Exists" is available in Splunk ???. 06-05-2020 12:45 AM
- Got Karma for Python Extension Module To DB2 doesn't work. 06-05-2020 12:45 AM
- Got Karma for Error in 'lookup' command: The lookup table 'namelookup' does not exist.. 06-05-2020 12:45 AM
- Got Karma for Re: Error in 'lookup' command: The lookup table 'namelookup' does not exist.. 06-05-2020 12:45 AM
- Got Karma for Re: Error in 'lookup' command: The lookup table 'namelookup' does not exist.. 06-05-2020 12:45 AM
- Got Karma for Re: Error in 'lookup' command: The lookup table 'namelookup' does not exist.. 06-05-2020 12:45 AM
- Got Karma for Re: Error in 'lookup' command: The lookup table 'namelookup' does not exist.. 06-05-2020 12:45 AM
- Got Karma for Re: Error in 'lookup' command: The lookup table 'namelookup' does not exist.. 06-05-2020 12:45 AM
- Got Karma for Re: Error in 'lookup' command: The lookup table 'namelookup' does not exist.. 06-05-2020 12:45 AM
- Got Karma for Lookup Script doesn't return search results. 06-05-2020 12:45 AM
- Got Karma for Is Splunk "sendmail" utility capable of sending secure emails ???. 06-05-2020 12:45 AM
- Posted Re: Splunk Support Python 2.7 ??? on Splunk Search. 02-01-2011 06:45 PM
- Posted Re: Is it possible to pass CSV Reader Object As Argument From Splunk Python to another Python Script ??? on Splunk Search. 01-28-2011 12:28 AM
- Posted Splunk Support Python 2.7 ??? on Splunk Search. 01-27-2011 08:13 PM
- Tagged Splunk Support Python 2.7 ??? on Splunk Search. 01-27-2011 08:13 PM
- Posted Re: Is it possible to pass CSV Reader Object As Argument From Splunk Python to another Python Script ??? on Splunk Search. 01-26-2011 10:28 PM
- Posted Is it possible to pass CSV Reader Object As Argument From Splunk Python to another Python Script ??? on Splunk Search. 01-26-2011 03:55 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 0 |
02-01-2011
06:45 PM
The import doent work. It gives error Unable to import DLL module
... View more
01-28-2011
12:28 AM
jrodman i would greatly appreciate if you could provide an example for your suggestion on tempfile as i am new to Python
... View more
01-27-2011
08:13 PM
Wondering if Splunk latest version support Python 2.7 otherwise user community has compatability issues
... View more
01-26-2011
10:28 PM
jrodman thanks for wonderful explaination but having csvreader inside namelookup.py script does nothing because its namelookupWrapper.py which gets the input from Splunk as configured in transforms.conf. The reason for wrapper script is to bridge the Splunk Python version gap i.e. Python 2.6 doesnt support pyodbc on Windows 64 bit OS hence i have system installation of Python 2.7 which host namelookup.py script. So the challenge is how to connect these two scripts to make the external lookup working
... View more
01-26-2011
03:55 PM
I have following two python scripts
-namelookupWrapper.py
-namelookup.py
The namelookupWrapper.py takes input of "memberId", "memberName" from Splunk Web interface and has following code snippet
idf = sys.argv[1]
namef = sys.argv[2]
real_script = "C:\\Splunk\\etc\\apps\\search\\bin\\namelookup.py"
r = csv.reader(sys.stdin)
os.execv(python_executable, [ python_executable, real_script ] + sys.argv[1:] )
Wondering how would i pass csv reader object "r" as an argument using os.execv() to another python script i.e. namelookup.py
Using the csv reader object
i iterate thru the input in namelookupWrapper.py which looks like as shown below
[MemberId, MemberName]
[123, ]
[456, ]
[989, ]
Now i have another script i.e. namelookup.py running under Python 2.7
using pyodbc to retrieve Member Names from database for a given Member
Id in namelooupWrapper.py
Please note the reason i need to do so is Splunk Python 2.6 host namelookupWrapper.py and the real_script namelookup.py is under Python 2.7 has pyodbc connection
... View more
01-25-2011
09:12 PM
From the url
http://blogs.splunk.com/2009/09/14/enriching-data-with-db-lookups-part-2/
i read the following excerpt
“The Python program gets its city field input via standard CSV input from Splunk, calls SQL to find the corresponding country, and produces the aggregate CSV output that contains the city with its correlated country”
On further analyzing this statement I infer
“Splunk Web interface Serializes input to Stdin and the Python Script using a CSV reader object reads the input from Stdin”
Hence the presence of following code snippet in Python external lookup script
r = csv.reader(sys.stdin)
Having said that the value of variable “r” is empty and the lookup script does nothing
I arrived at this statement by printing debugging statements to log file
Is there anyone who can help with this?
... View more
01-25-2011
06:29 PM
jrodman, Thanks for suggestion. Would you mind providing an example code snippet on how to perfor the Logging you suggested i.e. Open a logfile -- lf = open(logfile, "a", 1 ) -- at the beginning of the script and log variable states and debug lines to it lf.write(), using such things as repr(), str(), the pprint module
... View more
01-24-2011
05:57 PM
Thanks once again for quick response. I greatly appreciate it."The context of Splunk Search" means from Splunk Web the search command "source="Test_Log.txt" | xmlkv entry | lookup namelookupWrapper memberId | table memberId, memberName" doesn't return any data under "memberName" column. So i am not sure how to check if Splunk Web successfully invokes namelookupWrapper script which you suggested. Also the real script i.e. namelookup.py has code snippet "r = csv.reader(sys.stdin)" so wondering how would namelookWrapper.py would re-direct sys.stdin to real script namelookup.py.
... View more
01-24-2011
02:24 AM
LookUp Script NOT To Read from CSV File
Yes i am looking for script which reads from the context of Splunk Searching instead of taking the input from CSV file from stdin
Here is the script which works from standalone but not from context of splunk search
# File namelookup.py
# ------------------------------
import os,csv
import sys
import logging
import logging.config
import pyodbc
FIELDS = [ "memberId", "memberName" ]
# Given a id, find its name
def lookupName(idf, cur):
try:
selString = "SELECT first_name FROM emp where Member_ID="
cur.execute (selString + idf )
row = cur.fetchone()
return row[0]
except:
return []
def main():
if len(sys.argv) != 3:
print "Usage: python name_lookup.py [id field] [name field]"
sys.exit(0)
idf = sys.argv[1]
namef = sys.argv[2]
#THIS IS NOT DESIRED: r = csv.reader(sys.stdin)
#r = csv.reader(open('C:\\Splunk\\etc\\system\\bin\\memberInput.csv'))
#r = csv.reader(sys.stdin)
#w = csv.DictWriter(sys.stdout, FEILDS)
result = {}
w = csv.DictWriter(sys.stdout, FIELDS)
header = []
first = True
conn = pyodbc.connect('DSN=DBT1')
cursor = conn.cursor()
if len( idf):
result[namef] = lookupName(idf, cursor)
print("Result of"+ namef)
print(result[namef])
if len(result[namef]):
w.writerow(result)
cursor.close()
conn.close()
main()
Pl let me know how to rewrite the script to read/write from the context of splunk search
... View more
01-24-2011
02:19 AM
Thanks Lowell. You made my day and definately deserve credit for the answer. I would greatly appreciate your help in re-writing the script to read from the context of splunk search instead of CSV file from stdin. I am posting it in the below section
... View more
01-24-2011
02:08 AM
LookUp Script NOT To Read from CSV File
Yes i am looking for script which reads from the context of Splunk Searching instead of taking the input from CSV file from stdin
Here is the script which works from standalone but not from context of splunk search
# File namelookup.py
# ------------------------------
import os,csv
import sys
import logging
import logging.config
import pyodbc
FIELDS = [ "memberId", "memberName" ]
# Given a id, find its name
def lookupName(idf, cur):
try:
selString = "SELECT first_name FROM emp where Member_ID="
cur.execute (selString + idf )
row = cur.fetchone()
return row[0]
except:
return []
def main():
if len(sys.argv) != 3:
print "Usage: python name_lookup.py [id field] [name field]"
sys.exit(0)
idf = sys.argv[1]
namef = sys.argv[2]
# THIS IS NOT DESIRED
#r = csv.reader(open('C:\\Splunk\\etc\\system\\bin\\memberInput.csv'))
#r = csv.reader(sys.stdin)
result = {}
w = csv.DictWriter(sys.stdout, FIELDS)
header = []
first = True
conn = pyodbc.connect('DSN=IBM_DB')
cursor = conn.cursor()
if len( idf):
result[namef] = lookupName(idf, cursor)
print("Result of"+ namef)
print(result[namef])
if len(result[namef]):
w.writerow(result)
cursor.close()
conn.close()
main()
Pl let me know how to rewrite the script to read/write from the context of splun search
... View more
01-24-2011
01:56 AM
You read my mind. Thats exactly what i plan to do i.e. return memberName dynamically as you search. But wasn't sure how to do so always wonder why example lookup scripts (viz external_lookup.py) read CSV file from stdin/stdout. I am looking for an example which reads the value of memberId from the context of Splunk Search and not from CSV file. As i cannot post the code snippet here i will post under "Add An Answer" section
... View more
01-20-2011
10:09 PM
I am still getting errors:
splunk cmd python namelookupWrapper.py
Error File "C:\Splunk\Python-2.6\Lib\os.py", line 432, in delitem
del self.data[key.upper()]
KeyError: 'LD_LIBRARY_PATH'
So i commented that line still error persist in next line
splunk cmd python namelookupWrapper.py memberId memberName < memberInput.csv
File "c:\Splunk\etc\system\bin\namelookupWrapper.py", line 7, in
os.execv("C:\Python27\python.exe", [ "C:\Splunk\etc\system\bin\namelookup.py" ] + os.argv[1:])
AttributeError: 'module' object has no attribute 'argv'
... View more
01-20-2011
08:03 PM
I have a Scripted Lookup Script which works great when ran with Python 2.7 version but fails under Splunk Python version 2.6
Here is the error
c:\Splunk\etc\system\bin>splunk cmd python namelookup.py memberId memberName > memberInput.csv
Traceback (most recent call last):
File "namelookup.py", line 7, in <module>
import pyodbc
ImportError: DLL load failed: The specified module could not be found.
So from the error its quite understandable,
the pyodbc, the python extension module needs to be run under Splunk environment
But Splunk Python version 2.6 doesnt support pyodbc module on 64bit OS hence i have to install Python 2.7 with pyodbc module underneath it and the below scripted lookup script works fine
C:\Python27\python.exe namelookup.py memberId memberName < memberInput.csv
So how would i make the same scripted lookup script work under Splunk environment i.e.
splunk cmd python namelookup.py memberId memberName > memberInput.csv
I have made the following changes but no help
import os
del os.environ[PYTHONPATH]
del os.environ[LD_LIBRARY_PATH]
ppath = "C:\Python27"
spath = "C:\Splunk\etc\system\bin\namelookup.py"
os.execv(ppath, [spath] + os.argv[1:])
i have copied
C:\Python27\lib\site-packages,
TO
$SPLUNK_HOME\lib\Python2.6\site-packages
but still it doesnt help
... View more
01-20-2011
01:22 PM
Yes you understood the problem correctly i.e. scripted lookup execute perfectly from the command-line as shown in my posting
The questions are
**- Where do i mention the name of CSV file so that the script outputs to CSV file and then returns it to Splunk. So i would like to know the location of CSV file . Is it $SPLUNK_HOME/etc/system/lookups/ . Do i need to refer it in transforms.conf
-Next is HOW Scripted LookUp uses these CSV file to populate the results from Database. I haven't referenced in my Scripted Lookup. So where is the magic done? Right Now my scripted LookUp doesnt write to CSV file just print to stdout
- Finally how does CSV file returns the results to Splunk. What is the Splunk Search Command . The "lookup memberId OUTPUT memberName" doesnt seem to be working**
... View more
01-19-2011
10:47 PM
1 Karma
Below is the props.conf at $SPLUNK_HOME/etc/system/local:
[Test_Log]
lookup_table = namelookup memberId OUTPUT memberName
Below is the transforms.conf at $SPLUNK_HOME/etc/system/local:
[namelookup]
external_cmd = namelookup.py memberId memberName
external_type = python
fields_list = memberId, memberName
Script location :
$SPLUNK_HOME/etc/system/bin/namelookup.py
# File namelookup.py
# ------------------------------
import os,csv
import sys
import logging
import logging.config
import pyodbc
# Given a id, find its name
def lookupName(idf, cur):
#logger.debug("====Inside Lookup idf====="+idf)
try:
selString = "SELECT first_name FROM emp where Member_ID="
cur.execute (selString + idf )
row = cur.fetchone()
return row[0]
except:
return []
def main():
logging.config.fileConfig("logging.conf")
logger = logging.getLogger("name_lookup")
if len(sys.argv) != 3:
print "Usage: python name_lookup.py [id field] [name field]"
sys.exit(0)
idf = sys.argv[1]
namef = sys.argv[2]
#logger.debug("====idf===="+idf)
#logger.debug("====namef====="+namef)
r = csv.reader(sys.stdin)
w = None
header = []
first = True
conn = pyodbc.connect('DSN=IBM_DB')
cursor = conn.cursor()
for line in r:
if first:
header = line
if idf not in header or namef not in header:
print "Host and IP fields must exist in CSV data"
sys.exit(0)
csv.writer(sys.stdout).writerow(header)
w = csv.DictWriter(sys.stdout, header)
first = False
continue
# Read the result
result = {}
i = 0
while i < len(header):
if i < len(line):
result[header[i]] = line[i]
else:
result[header[i]] = ''
i += 1
# Perform the lookup for city to country if necessary
if len(result[idf]) and len(result[namef]):
w.writerow(result)
elif len(result[idf]):
result[namef] = lookupName(result[idf], cursor)
if len(result[namef]):
w.writerow(result)
cursor.close()
conn.close()
main()
the results displayed on stdout are as desired
C:\Splunk\etc\system\bin>db_lookup.py memberId memberName < memberInput.csv
produces following output retrieving memberName from database
memberId,memberName
006,RANDY
007,LEONY
009,RANDOLPH
However i still have following issues
The script doesn't output similar results in the CSV file. Wondering why it doesn't output in CSV file when the desired results are displayed in STDOUT. So what i am missing here?
The script then outputs from the CSV file and returns it to Splunk, which populates the memberName field in your results
source="Test_Log.txt" | xmlkv entry | lookup namelookup memberId OUTPUT memberName | table memberId, memberName
Please let me know how to populate CSV file with the results
... View more
01-19-2011
08:52 PM
Thanks for wonderful explaination hexx.
I did exactly as per your recommendation and my scripted lookup behaves in the same manner as yours i.e. the results displayed on stdout are as desired
C:\Splunk\etc\system\bin>db_lookup.py memberId memberName < memberInput.csv
produces following output retrieving memberName from database
memberId,memberName
006,RANDY
007,LEONY
009,RANDOLPH
However, when I invoke the scripted lookup from splunk search as shown below , It doesn't return any results under memberName column
source="Test_Log.txt" | xmlkv entry | lookup namelookup memberId OUTPUT memberName | table memberId, memberName
Please let me know what am I missing?
... View more
01-19-2011
08:43 PM
Thanks for wonderful explaination. I did exactly as per your recommendation and my scripted lookup behaves in the same manner as yours i.e. works fine
However, when I run the below search, It doesn't return any search results under name
source="Test_Log.txt" | xmlkv entry | lookup namelookup Id OUTPUT Name | table Id, name
... View more
12-23-2010
03:33 PM
Please note the purpose of lookup script in my case is to retrieve Name from database for a given Id in Splunk Search query. i.e.
.....| lookup namelookup Id OUTPUT Name
Please note i modelled the lookup script based on external_lookup.py shipped with installation or http://blogs.splunk.com/2009/09/14/enriching-data-with-db-lookups-part-2/
These scripts take " CSV input from Splunk via standard input "
This doesnt seems to be working in my case. So is their a way to debug the lookup script to make sure CSV input from Splunk is really supplied to lookup script via stdin.
To prove my point, I modified the lookup script by commenting following lines and It runs perfectly fine as standalone program
#namef = sys.argv[2] // This doesnt really make sense.
#r = csv.reader(sys.stdin)
#w = None
#header = []
#first = True
#csv.writer(sys.stdout).writerow(header)
#w = csv.DictWriter(sys.stdout, header)
So the question boils down to how to make the script
take " CSV input from Splunk via standard input "
produce Splunk Search Results with Name value from database. Please note i don't want CSV standard output.
mostly importantly how to launch debugger
Any pointers/suggestions to make the script working will be greatly appreciated
... View more
12-23-2010
03:26 PM
Please see my first posting in which i have pasted XML Log file and exact search i.e.
source="Test_Log.txt" | xmlkv entry | rex "(?i)<TransactionAttributes><entry key=\"CONTRACT_ID\">(? [^<]+)" | rex "(?i)<TransactionAttributes><entry key=\"CONTRACT_ID\">\w+<\/entry><entry key=\"MEMBER_ID\">(? [^<]+)" |where contractId="123" | mvexpand memberId
|table contractId, memberId
And as you suggested to append mvexpand memberId
... View more
12-22-2010
08:19 PM
i modified the script to run as standalone program by commenting lines : csv.writer(sys.stdout).writerow(header)
w = csv.DictWriter(sys.stdout, header)
So the question boils down to how to make it work with Splunk or how to make it write to CSV file
... View more
12-22-2010
08:14 PM
As i didnt get answer to my comment i am using this section to repost the comment
In the above posting. i forgot to mention the complete output was
contractId memberId
========== =========
contract1_100 member1_100,
member2_100,
member3_100
contract1_100 <NULL>
Now using mvexpand as suggested by ziegfried doesnt help much as the last rows disappear moreover it still displays memberIds with contractId in single row whereas i need to display combination of contractId, memberId in single row i.e.
contractId memberId
========== =========
contract1_100 member1_100,
contract1_100 member2_100,
contract1_100 member3_100
... View more
We have a requirement to send secure emails with encryption something like PGP Encrypt/Decrypt email feature so wondering if Splunk "sendmail" utility is capable of sending secure emails
... View more
12-22-2010
06:54 PM
The purpose of lookup script in my case is to given an Id, connect to database and retrieve Name by Id. So i am not sure what you are suggesting. Could you please elaborate. Please note we don't have Name value initially available to us infact we are retriving it from database by passing Id value as an argument in "SELECT" clause. Anyhow that script is far from working so i hard-coded the values in a dictionary with keys as Id and Values as Name as a prrof-of-concept that Splunk will be able to call the lookup script namelookp.py
... View more
12-21-2010
08:59 PM
1 Karma
Below is the props.conf at $SPLUNK_HOME/etc/system/local:
[SPLUNK_SERVICE_Log]
lookup_table = namelookup Id OUTPUT Name
Below is the transforms.conf at $SPLUNK_HOME/etc/system/local:
[namelookup]
external_cmd = namelookup.py Id Name
external_type = python
fields_list = Id, Name
Script location :
$SPLUNK_HOME/etc/system/bin/namelookup.py
# File namelookup.py
# ------------------------------
import os,csv
#import pyodbc
import sys
import logging
import logging.config
def main():
#if len(sys.argv) != 3:
#print "Usage: python name_lookup.py [id field] [name field]"
#sys.exit(0)
logging.config.fileConfig("logging.conf")
# create logger
logger = logging.getLogger("namelookup")
# "application" code
logger.debug("====Inside Main=====")
idf = sys.argv[1]
namef = sys.argv[2]
r = csv.reader(sys.stdin)
w = None
header = []
first = True
d1 = {}
# Add items
d1["006981166"] = "John"
d1["007094117"] = "Mike"
d1["007094118"] = "Scott"
for line in r:
if first:
header = line
print "Header:", header
if idf not in header or namef not in header:
print "Id and Name fields must exist in CSV data"
sys.exit(0)
csv.writer(sys.stdout).writerow(header)
w = csv.DictWriter(sys.stdout, header)
first = False
continue
# Read the result
result = {}
i = 0
while i < len(header):
if i < len(line):
result[header[i]] = line[i]
else:
result[header[i]] = ''
i += 1
# Perform the lookup
if len(result[idf]) and len(result[namef]) :
w.writerow(result)
elif len(result[idf]):
result[namef] = lookup(result[idf], d1)
if len(result[namef]):
w.writerow(result)
# Given a Id, find its Name
def lookup(id, d1):
try:
for key in d1.keys():
if key == id:
#print "Value=", d1[key]
return d1[key]
except:
return []
main()
However, when I run the below search, It doesn't return any search results under name
source="Test_Log.txt" | xmlkv entry | lookup namelookup Id OUTPUT Name | table Id, name
Please let me know where i am going wrong in the script or where exactly is the script failing. Is their a way to debug the script using Komodo Edit IDE . I want debugger to launch the moment you hit enter in the Splunk Web Interface because i am not even sure the script is invoked by Splunk. So i would like to see atleast the first print statement in the script is printed onto console.
When i tried to run as standlone program using the command
splunk cmd namelookup.py 123
it opens a command prompt and immediately closes it. So not sure whats going on with this script
... View more
