Splunk Search

Where to place common python libraries

eddieparra
New Member

I have multiple alert actions in Python. I am trying to have the modalert helper for each action to load a common library, which I would like to place in this package. I do not know where is the appropriate location within the package directory structure to place such a library.

0 Karma

eddieparra
New Member

I created the directory you stated:

$SPLUNK_HOME/etc/apps/your_app_name/bin/lib

I then created:

$SPLUNK_HOME/etc/apps/your_app_name/bin/commands.conf.  

Inside I added:

# type of script: 'python', 'perl'
 TYPE = python

# is command streamable?
streaming = false

# maximum data that can be passed to command (0 = no limit)
maxinputs = 50000

[test_sdk]
filename = test_sdk.py

In bin/lib I have an init.py file and test_sdk.py

[root@splunk lib]# ls -l
total 0
-rw-r--r--. 1 root root 0 Mar 11 12:01 __init__.py
-rw-r--r--. 1 root root 0 Mar 11 12:00 test_sdk.py

In $SPLUNK_HOME/etc/apps/your_app_name/bin/ta__adaptive_response/, I have "modalert_blacklist_block_helper.py". This file has "import test_sdk".

When I run a test, it still can't import test_sdk. Any ideas?

0 Karma

tiagofbmm
Influencer

Two things I can see right away:

1 - The commands.conf is a conf file and must be placed under $SPLUNK_HOME/etc/apps/your_app_name/local or $SPLUNK_HOME/etc/apps/your_app_name/default, so move it to either of the directories.

2 - The test you are performing, "import test_sdk", I suggest you first try it by using this:

Go to the $SPLUNK_HOME/etc/apps/your_app_name/bin/ (where test_sdk.py must be)

Then try executing this for test:
$SPLUNK_HOME/bin/splunk cmd python test_sdk.py

If it still doesn't work, you need to append new directories for which python will search for modules to import, adding this to your modalert_blacklist_block_helper.py (before the import test_sdk)

import os, stat
import sys

dir = os.path.join(os.path.join(os.environ.get('SPLUNK_HOME')), 'etc', 'apps', 'your_app_name', 'bin','lib')
if not dir in sys.path:
    sys.path.append(dir)

And finally, I am not aware of the structure of having a TA inside an a Splunk App, I've never seen that before anywhere honestly, I can't judge that

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma

eddieparra
New Member

Have you seen this documented anywhere? As I look at other AR apps, I never see this. I trust you are correct, so let me give this a try.

0 Karma

tiagofbmm
Influencer

What do you mean AR app?

0 Karma

eddieparra
New Member

Adaptive Response

0 Karma

tiagofbmm
Influencer

Well I believe they work the same way though.

Let me know if they don't 🙂

0 Karma

eddieparra
New Member

I just posted a more details msg here. It is pending moderator approval.

0 Karma

tiagofbmm
Influencer

Any python library you want to add should be in:

$SPLUNK_HOME/etc/apps/your_app_name/bin/lib

Remember that in the lib folder, the sub-folders containing the py library must contain file init.py

Let me know if solved your question and if so, please accept the answer for future queries

0 Karma

eddieparra
New Member

How can I make it part of the AR app itself? This would be more of a helper function vs. a proper library. When using the app builder, the bin/ directory has many mainstream libs. I would like to embed it in a similar fashion, for all my actions. I just don't know what is the proper location to pass validation. Thanks.

0 Karma

tiagofbmm
Influencer

Well if you put it in the app folder, under /bin/lib/ (not under /bin) then it is part of the app.
That's it!

If you are planning to create an custom command in Splunk with the python library, you also need to configure commands.conf in that same app you put the python library. The python script that the command would call should be in the app folder, under /bin

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...