Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a simple resource for how to code up extensions in Python that work with the stats() command?

rgoerwit
Engager
‎05-04-2018 07:51 AM

Is there a good, simple resource for how to code up extensions in Python that work with the stats() command?

Background:

I'd never thought of using Python with Splunk...until this last month, when literally thousands of IP addresses started trying to brute-force user passwords using my org's externally visible systems. Each address tries a few passwords for a few users, making it silly to block individual IP addresses. I could block networks, but that's overkill unless I can tune the netmasks.

Anyway, I wrote up a Python script to help me figure out a set of minimal networks/masks I can block - more than individual IP addresses but less than, say, mechanically blocking a bunch of fixed-width netblocks. The script runs at a command line and has proven useful.

But it occurs to me that I should be rewriting it to work with the Splunk stats command and output a list (like values()).

I have read over some documentation Splunk on how to do this - or tried. It's spread out and what I can find is, to me, inscrutable. I do some coding, but generally, it's in Perl, C#, C, etc. I'm probably just missing something. There is likely a good, simple resource out there and I've missed it.

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-04-2018 03:42 PM

I see two possible ways:

What would most likely be the "cleanest" way is creating a custom alert action. You could then schedule a search and have your custom alert action trigger, it being provided with the result of that search. I've not done this yet and please be aware that Splunk still runs Python 2 (sadly).
You could start on that here.

The quick and dirty approach would be run Splunk CLI and have it output the results in CSV style, then load that CSV into your python and there you go.
The CLI command could be like this:
splunk search "index=badguys yoursearchhere | stats count by something" -output csv -auth admin:changeme

Pick your poison. 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...