Building for the Splunk Platform

how i write external_cmd python script

zchandikaz
New Member

I need to alter data in splunk using props.conf
I need to use external_cmd to run python script
Can you give me a example python script for that.

Thanks

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Data in Splunk cannot be altered using props.conf or any other means.
Data arriving at Splunk can be modified using transforms.conf. See https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Anonymizedata for an example.

See https://docs.splunk.com/Documentation/Splunk/8.0.3/Search/Writeasearchcommand for how to write an external command.

---
If this reply helps you, Karma would be appreciated.
0 Karma

zchandikaz
New Member

Yes
Do you know alter data in transforms.conf using python program. I couldn't find a example to alter using python as i alter data using SEDCMD.

Thank you very much

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your python program is a scripted or modular input then you can make all the changes you like. It won't involve transforms.conf, however.
Or do you want to change the transforms.conf file itself using python? If so, I don't have an answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

zchandikaz
New Member

No No
I simply want to mask some data using transforms.conf and props.conf. I know how to do it using SEDCMD or EVAL.But i need to consider more conditions before masking. So i need to use a python script to do it. But i don't know how to do it

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You seem to be contradicting yourself. You say you want to use transforms, but you don't want to use SEDCMD or EVAL, which are the methods offered by transforms. Like I said previously, a python script used as a modular or scripted input can make any alterations it wants to.
Perhaps you should describe what kind of data is involved, how it is being onboarded, and what it should look like in Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma

zchandikaz
New Member

simply i need to mask data in events
before masking i need to consider log level, logger and some conditions
So if i can write a script to mask, it'll be easy

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, a script can do that, but the data must be read by the script. It is not possible for a script to process data as it passes through an indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

zchandikaz
New Member

yes i'll find another alternative, thank you very much

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...