Getting Data In

how do I pull just the host field out of a search to use as input for a custom search module

msantoro1
Explorer

I am trying to write a custom search module in python that will check the host field of event data in a comprehensive search and trigger a command line call to a remote server to block any ip in the search that matches a blacklist. I am thinking the data that I am looking for is somewhere in the 'results' returned from splunk.Intersplunk.getOrganizedResults() but I cannot figure out how to access it, specifically just the host field.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

This might be more easily done as a script fired as part of an alert action. http://www.splunk.com/base/Documentation/4.2.2/User/SchedulingSavedSearches#Run_a_script

msantoro1
Explorer

also I still need to be able to pull out the host data even if it is an alert.

0 Karma

msantoro1
Explorer

Thanks for the advice, I looked into alerts, and I'm not sure that the alert solution is correct for my particular application. This is because the criteria for triggering the block are diverse and inconsistent. The same set of conditions that in one instance would require a block, in a another would not. Really just looking for a new argument to supply to a specific search i.e. "search | uniq | block" that would trigger the block. I have found that it is easy enough to trigger the action, I have having problems accessing the data, also debugging python is a huge pain inside of splunk.

0 Karma

sideview
SplunkTrust
SplunkTrust

Agreed. run the search for the list of hosts, and then in the script operate on all of them at once.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...