!/dir/splunk/bin/python2.7

awurster · ‎04-25-2015

just checking if this is true.. given a custom command i write with a single argument:

... | mycommand arg1="this is value 1" arg2="foo"

i do not see the arg's value above returned correctly by intersplunk:

>>> args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
>>> print str(kwargs)
>>> {'arg2': 'foo', 'arg1': 'this'}

is this expected? any way to get around this with a custom search command? i'll be posting search data to a separate service, and need to set some values which of course have spaces in them and require quotes.

awurster · ‎03-29-2016

update: i ended up kind of abandoning the approach to use that method cause it just wouldn't work. so i just took the whole search command and split it manually myself.

find the details on BitBucket @ https://bitbucket.org/snippets/awurster/ERLbG but here's a preview below:

def getCmdArgs(settings):
    """ usage: jira <action> <args...>
        * action:
        ** create summary=<summary> template_name=<template_name>
        ** update issue=<issue_key> comment=<comment> template_name=<template_name>
    """
    sessionKey = settings['sessionKey']

    search_string, jira_command = settings['search'].rsplit('|',1)
    try:
        search_string = search_string.split('search ')[1]
    except IndexError:
        # if first command is not a "search"
        search_string = search_string.strip()
        first_cmd = search_string.split('|')[1].strip()
    parsed_cmd = re.search('\s+jira\s+(?P<cmd_action>(create|update))\s+(?P<cmd_options>.+)', jira_command).groupdict()
    cmd_action = parsed_cmd['cmd_action'].lower()
    cmd_options = {k:v.strip('"') for k,v in re.findall(r'(\S+)=(".*?"|\S+)', parsed_cmd['cmd_options'])}

View solution in original post

awurster · ‎03-29-2016

update: i ended up kind of abandoning the approach to use that method cause it just wouldn't work. so i just took the whole search command and split it manually myself.

find the details on BitBucket @ https://bitbucket.org/snippets/awurster/ERLbG but here's a preview below:

def getCmdArgs(settings):
    """ usage: jira <action> <args...>
        * action:
        ** create summary=<summary> template_name=<template_name>
        ** update issue=<issue_key> comment=<comment> template_name=<template_name>
    """
    sessionKey = settings['sessionKey']

    search_string, jira_command = settings['search'].rsplit('|',1)
    try:
        search_string = search_string.split('search ')[1]
    except IndexError:
        # if first command is not a "search"
        search_string = search_string.strip()
        first_cmd = search_string.split('|')[1].strip()
    parsed_cmd = re.search('\s+jira\s+(?P<cmd_action>(create|update))\s+(?P<cmd_options>.+)', jira_command).groupdict()
    cmd_action = parsed_cmd['cmd_action'].lower()
    cmd_options = {k:v.strip('"') for k,v in re.findall(r'(\S+)=(".*?"|\S+)', parsed_cmd['cmd_options'])}

dwaddle · ‎04-26-2015

Expected, maybe not. But, yes, this is how Intersplunk.getKeywordsAndOptions() works. I wound up copypasting it into my own code and making changes in order to handle some of my arguments that needed quotes. If I ever get something worth it sending back, I'll send patches to splunk and hope they make it into a future release.

kamal_jagga · ‎03-28-2016

@awurster
I am also trying to write a script which takes 2 arguments.

!/dir/splunk/bin/python2.7

iimport sys, time
import splunk.Intersplunk
import getopt
from splunklib.searchcommands import \
dispatch, GeneratingCommand, Configuration, Option, validators
def main(argv):

print("hello")
opts, args = getopt.getopt(argv,["ifile=","ofile="])
for arg in args :
print (arg)
main(sys.argv[1:])

This executes fine from backend if I use the splunk python.

/dir/splunk/bin/splunk cmd python command_test file1 file2

But I am unable to execute it from search bar.

Would you be able to advise anything regarding the script or share some part of your script.

Thank you !!!

awurster · ‎03-28-2016

i ended up just parsing the argument as one giant string instead and then doing the string splitting inside my own script. will have a search through my code to see if i can find it.

awurster · ‎03-29-2016

@kamal_jagga - give this example a shot. it's been a while since i've run this version of the script (i kind of abandoned the inline command approach in latest app version). it's mostly using a keyword to do the arg splitting.

https://bitbucket.org/snippets/awurster/ERLbG

any issues and you can ping me awurster@atlassian.com. although ideally, a splunk developer person should be able to chime in here on the conversation.

awurster · ‎03-29-2016

also, you should consider making your original reply a comment not an answer 😉

kamal_jagga · ‎03-29-2016

Thanks. My main issue is passing the argument from search to the script.

awurster · ‎04-26-2015

i guess this is the code we need to override from getKeywordsAndOptions() in ./lib/python2.7/site-packages/splunk/Intersplunk.py

        else:
            # handle case where arg is surrounded by quotes
            # remove outter quotes and accept attr=<anything>
            if arg.startswith('"') and arg.endswith('"'):
                arg = arg[1:-1]
                matches = re.findall('(?:^|\s+)([a-zA-Z0-9_-]+)\\s*(::|==|=)\\s*(.*)', arg)
            else:
                matches = re.findall('(?:^|\s+)([a-zA-Z0-9_-]+)\\s*(::|==|=)\\s*((?:[^"\\s]+)|(?:"[^"]*"))', arg)

awurster · ‎04-26-2015

cheers @dwaddle. yea maybe i'll have to pull that code out into my script and override the method. seems kind of... counterintuitive...

why does my custom search command not take quoted string values for args?

!/dir/splunk/bin/python2.7

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases