Splunk Search

How to create custom command search?

lnn2204
Path Finder

Hi guys, I'm using splunk 8.0

I want to create a command that can send some infos to another via web or api. I read the Dev page but hard to understand. Do you know some easy script?

Like I have an table after search

a b c Action
312 213 13 1
13 123 46 0

When Action=1, the script will send info {a:1,b:213,c:13} to another platform, exp: send message to telegram. 

 

 

 

<basesearch>
| where action=1
| sendinfo a,b,c

 

 

 

Labels (1)
0 Karma
1 Solution

shivanshu1593
Builder

I'm hoping that you have done part of setting up commands.conf and metadata for your custom command. The error that you are seeing down to the fact that the field records is None type, meaning it contains no values and you cannot iterate over None type. Looks like you are not able to pass the data from your SPL to your custom command. Also, you are doing the get request, when you want to send (post) the data instead. Try the following (off the top of my head. May have some bugs that you can fix):

 

 

from __future__ import absolute_import, division, print_function, unicode_literals
import os,sys
import time

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
import requests

@Configuration()
class GenerateTextCommand(StreamingCommand):

    fieldname = Option(
        doc='''
        **Syntax:** **fieldname=***<fieldname>*
        **Description:** Name of the field that will hold the session_key''',
        require=True, validate=validators.Fieldname())

    def stream(self,records):
        for record in records:
                fields = self.fieldnames
                i = record[fields[0]]
                botURL = "https://api.telegram.org/botTOKEN/sendMessage?chat_id=CHAT_ID&text="+str(i)
                r = requests.post(botURL)
                record[self.fieldname] = r
                yield record

dispatch(GenerateTextCommand, sys.argv, sys.stdin, sys.stdout, __name__)

 

 

 

Please make sure that you run your custom command in the search

 (This will return the value of r. You may wish to format it once it works):

 

 

| yourcustomcommand fieldname=events_sent

 

 

 

Hope this helps,

###If it helps, please consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

shivanshu1593
Builder

You can watch @techiesid YouTube channel to create your custom command

https://www.youtube.com/watch?v=tTfEv5fLZEs

 

###If it helps. Kindly consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

lnn2204
Path Finder

One more question, I just want to out the value of fields, then send it. So which command should i create? (Streaming, Generating, Transforming or something else). Because I'm using Streaming and it return error: TypeError at "/opt/splunk/etc/apps/testCommand/bin/splunklib/searchcommands/internals.py", line 573 : 'NoneType' object is not iterable

 

This is my command:

from __future__ import absolute_import, division, print_function, unicode_literals
import os,sys
import time

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
import requests

@Configuration()
class GenerateTextCommand(StreamingCommand):
    def stream(self,records):
        for record in records:
                fields = self.fieldnames
                i = record[fields[0]]
                botURL = "https://api.telegram.org/botTOKEN/sendMessage?chat_id=CHAT_ID&text="+str(i)
                r = requests.get(botURL)

dispatch(GenerateTextCommand, sys.argv, sys.stdin, sys.stdout, __name__)
0 Karma

shivanshu1593
Builder

I'm hoping that you have done part of setting up commands.conf and metadata for your custom command. The error that you are seeing down to the fact that the field records is None type, meaning it contains no values and you cannot iterate over None type. Looks like you are not able to pass the data from your SPL to your custom command. Also, you are doing the get request, when you want to send (post) the data instead. Try the following (off the top of my head. May have some bugs that you can fix):

 

 

from __future__ import absolute_import, division, print_function, unicode_literals
import os,sys
import time

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
import requests

@Configuration()
class GenerateTextCommand(StreamingCommand):

    fieldname = Option(
        doc='''
        **Syntax:** **fieldname=***<fieldname>*
        **Description:** Name of the field that will hold the session_key''',
        require=True, validate=validators.Fieldname())

    def stream(self,records):
        for record in records:
                fields = self.fieldnames
                i = record[fields[0]]
                botURL = "https://api.telegram.org/botTOKEN/sendMessage?chat_id=CHAT_ID&text="+str(i)
                r = requests.post(botURL)
                record[self.fieldname] = r
                yield record

dispatch(GenerateTextCommand, sys.argv, sys.stdin, sys.stdout, __name__)

 

 

 

Please make sure that you run your custom command in the search

 (This will return the value of r. You may wish to format it once it works):

 

 

| yourcustomcommand fieldname=events_sent

 

 

 

Hope this helps,

###If it helps, please consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

lnn2204
Path Finder

Thank you, because it's  streaming command, so i need to but things back to the result. And I found the way 😄 thanks.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...