Greetings,
I am trying to output an IP address from a search to a script. My goal is to have the search call a script to block IP it finds. Below is my search and an example of its results.
My Search: host="192.168.4.1" UTM5 Login failed: | stats count by src_ip | where count >3 | return src_ip
Returns: src_ip="192.168.4.23"
How do I pass the src_ip from my search to a script I am calling? Or do I have to write it to a separate file?
Hi.
This isn't a very detailed answer, but hopefully will be of some help.
What you're doing would normally run as a scheduled search, when you run a scheduled search, you can create an alert on it based on the results.
So if you have a saved search defined as :
host="192.168.4.1" UTM5 Login failed: | stats count by src_ip | where count >3 | fields src_ip
and have an alert condition 'where number of results > 0'
Then your script (in <splunk install dir>/bin/scripts) will run and do whatever you want it to do.
Your script will be passed several arguments.
The 8th arg will be the filename that contains the raw results - this will be gzipped.
So you're script will probably look something like :
#!/usr/bin/bash
gunzip -c $8 | tail -n +2 | while read ip;do
block $ip
done
Possibly you could use script but I have no experience with that.
Thx for your help. Is there any direct way to pass the IP address to the script? or is outputting the results to a file and then having the a script search said file the only way? I'm thinking more a programming way which is probably inapplicable.
I have figured out how to output the IP to a text file via
host="192.168.4.1" UTM5 Login failed: | stats count by src_ip | where count >3 | return src_ip | outputtext usexml=false | rename _xml as raw | fields - raw, _raw | outputcsv results.txt
But am still looking to pass the IP from the search directly into the script that will run. The variables found below do not put out any using formation.
http://docs.splunk.com/Documentation/Splunk/5.0.1/Alert/Configuringscriptedalerts