Splunk Dev

Is there a simple resource for how to code up extensions in Python that work with the stats() command?

rgoerwit
Engager

Is there a good, simple resource for how to code up extensions in Python that work with the stats() command?

Background:

I'd never thought of using Python with Splunk...until this last month, when literally thousands of IP addresses started trying to brute-force user passwords using my org's externally visible systems. Each address tries a few passwords for a few users, making it silly to block individual IP addresses. I could block networks, but that's overkill unless I can tune the netmasks.

Anyway, I wrote up a Python script to help me figure out a set of minimal networks/masks I can block - more than individual IP addresses but less than, say, mechanically blocking a bunch of fixed-width netblocks. The script runs at a command line and has proven useful.

But it occurs to me that I should be rewriting it to work with the Splunk stats command and output a list (like values()).

I have read over some documentation Splunk on how to do this - or tried. It's spread out and what I can find is, to me, inscrutable. I do some coding, but generally, it's in Perl, C#, C, etc. I'm probably just missing something. There is likely a good, simple resource out there and I've missed it.

0 Karma

xpac
SplunkTrust
SplunkTrust

I see two possible ways:

What would most likely be the "cleanest" way is creating a custom alert action. You could then schedule a search and have your custom alert action trigger, it being provided with the result of that search. I've not done this yet and please be aware that Splunk still runs Python 2 (sadly).
You could start on that here.

The quick and dirty approach would be run Splunk CLI and have it output the results in CSV style, then load that CSV into your python and there you go.
The CLI command could be like this:
splunk search "index=badguys yoursearchhere | stats count by something" -output csv -auth admin:changeme

Pick your poison. 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...