Splunk Enterprise Security

How to install pycurl in splunk for work within custom alert action python script

Marius732
Engager

i've tried so much but don't reached something, so i hope someone can help me here.

I want to add a alert action python skript to a correlation search. In this python script i use the pycurl module to send some data to another API.

But the installed python in splunk havent the pycurl module and i found no way to install it. 

When i call the script in the shell with de local installed python it works fine and i can reach the API.

Have anybody a idea how to install the pycurl in splunk, or witch lib in splunk allready exists for a cURL HTTP request in a python script??

Thanks for answer.

Labels (2)
Tags (3)
0 Karma
1 Solution

Vardhan
Contributor

Hi @Marius732 ,

 

The best way is to test the custom Alert Action is through the Splunk Add-on builder. I usually create the custom Alert action and test the code with the help of the Addon builder and if there is an issue with the code you can able to find it out while testing.

https://splunkbase.splunk.com/app/2962/ 

View solution in original post

0 Karma

Vardhan
Contributor

HI @Marius732 ,

Try to create one Add-on for the custom alert action.

And download the pycurl module package and place it inside the Addon.

<Addon name>/bin/<Addon Name>/Place the pycurl module package  here

And place the custom Alert action script inside  <Addon name>/bin/custom_alert_script.py and see if it works or not.

 

0 Karma

Marius732
Engager

This is the response:

Traceback (most recent call last):
 File "/opt/splunk/etc/apps/TA-api-add-on/bin/send_group_message.py", line 6, in <module>
   c = pycurl.Curl()
AttributeError: module 'pycurl' has no attribute 'Curl'

Any idea?

0 Karma

Vardhan
Contributor

Hi @Marius732 ,

 

It is not a Splunk error it is your script error it is saying the Pycurl module unable to identify the curl attribute. 

c = pycurl.Curl()
AttributeError: module 'pycurl' has no attribute 'Curl'

0 Karma

Marius732
Engager

Hi @Vardhan 

yes i know, cause de module pycurl is in splunk not available, i decided to change my script to te request method. Also this sript ist working fine in cmd, in splunk is not working. Im not an expert in it, but i think the request Methods are in the standard Splunk Python installation. I'm getting no error while executing with "sudo ./splunk cmd python /opt/splunk/bin/scripts/request.py"

but in the alert action with a shell skript to the request.py (python3 /opt/splunk/bin/scripts/request.py) it also doesn't work, i dont understand why. 

When i execute with the command i showed it work's, it also should be working in the alert action, but it dosen't

0 Karma

Vardhan
Contributor

Hi @Marius732 ,

 

The best way is to test the custom Alert Action is through the Splunk Add-on builder. I usually create the custom Alert action and test the code with the help of the Addon builder and if there is an issue with the code you can able to find it out while testing.

https://splunkbase.splunk.com/app/2962/ 

View solution in original post

0 Karma

Marius732
Engager

Hi @Vardhan 

Thanks for the answer. Does this guarantee that other python modules will also run that are not available in the standard installation of python in splunk?

I already built an add-on with the Builder yesterday, but didn't get pycurl to work here either.

Knowing whether further Python modules can be implemented is an important difference for the approach to future script development

0 Karma

Marius732
Engager

As I mentioned yesterday, I wrote a new script using the request method instead of pycurl. This also worked after I deposited it on the path provided($SPLUNK_HOME/bin/scripts) . Is there no best practice for installing or storing subsequent python modules? I also tried my own app and an add-on, but didn't get pycurl to work.

Thanks for support

 

 

0 Karma

Marius732
Engager

Hi @Vardhan ,

thanks for your answer.

I've tried this with placing the package to $SPLUNK_HOME/bin/scripts and also placing my script there, but when i run this script in the command with ./splunk cmd python3 path-to/script.py i got the same Error "ModuleNotFoundError: No module named 'pycurl'"

But i try it with an custom Add-on and will see if it works

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!