Splunk Dev

how i write external_cmd python script

zchandikaz
New Member

I need to alter data in splunk using props.conf
I need to use external_cmd to run python script
Can you give me a example python script for that.

Thanks

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Data in Splunk cannot be altered using props.conf or any other means.
Data arriving at Splunk can be modified using transforms.conf. See https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Anonymizedata for an example.

See https://docs.splunk.com/Documentation/Splunk/8.0.3/Search/Writeasearchcommand for how to write an external command.

---
If this reply helps you, Karma would be appreciated.
0 Karma

zchandikaz
New Member

Yes
Do you know alter data in transforms.conf using python program. I couldn't find a example to alter using python as i alter data using SEDCMD.

Thank you very much

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your python program is a scripted or modular input then you can make all the changes you like. It won't involve transforms.conf, however.
Or do you want to change the transforms.conf file itself using python? If so, I don't have an answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

zchandikaz
New Member

No No
I simply want to mask some data using transforms.conf and props.conf. I know how to do it using SEDCMD or EVAL.But i need to consider more conditions before masking. So i need to use a python script to do it. But i don't know how to do it

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You seem to be contradicting yourself. You say you want to use transforms, but you don't want to use SEDCMD or EVAL, which are the methods offered by transforms. Like I said previously, a python script used as a modular or scripted input can make any alterations it wants to.
Perhaps you should describe what kind of data is involved, how it is being onboarded, and what it should look like in Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma

zchandikaz
New Member

simply i need to mask data in events
before masking i need to consider log level, logger and some conditions
So if i can write a script to mask, it'll be easy

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, a script can do that, but the data must be read by the script. It is not possible for a script to process data as it passes through an indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

zchandikaz
New Member

yes i'll find another alternative, thank you very much

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...