Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Retrieve configuration items from a custom python search command

domgkc
Explorer
‎12-17-2012 01:57 AM

I would like to get configuration items from within a custom search python command.

I have created a setup which adds configuration items "host", "port" and "key" for making external REST calls.

The external REST calls are made via a custom search command.
I would like to use the host, port and key stored in the configuration file to form the REST endpoint URL so that the Application can be installed without users having to change my python scripts.

Tried reviewing the splunk.admin class but it isn't obvious to me how to get to the configuration properties to retrieve the data I want. (I wish I was better at python).

I know I can make a REST call back to Splunk from within the search but making REST calls to Splunk itself to get the properties via /services/properties/myapp/myappitem seems a bit wrong.

Has anyone else tried to make use of splunk.admin to retrieve stored configuration?
Is there any way to achieve this?

Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎12-17-2012 03:48 AM

There are multiple ways to access config items from with custom search commands. The easiest one is to use the splunk.clilib.cli_common

from splunk.clilib import cli_common as cli
...
cfg = cli.getConfStanza('myconf','mystanza')
print cfg.get('myitem')

The alternative is to actually access the configuration via REST. You can setup the search command to retrieve an auth token via STDIN when it's called by setting passauth = true in commands.conf (enableheader has to be set to true as well). 

import splunk.entity, splunk.Intersplunk
...
settings = dict()
records = splunk.Intersplunk.readResults(settings = settings, has_header = True)
...
entity = splunk.entity.getEntity('/admin/conf-myconf','mystanza', namespace='myapp', sessionKey=settings['sessionKey'], owner='nobody')
print entity.get('myitem')

Retrieving the config via REST is the cleaner way IMO. It additionally gives you control over app/user namespace when reading the configuration.

View solution in original post

Reply
Solved! Jump to solution

peter_krammer
Communicator
‎01-15-2020 04:15 AM

When using the add-on builder this code works for me:

def process_event(helper, *args, **kwargs):
    service = client.Service(
            token=helper.settings.get('session_key'), 
            owner='nobody',
            app='SplunkEnterpriseSecuritySuite')
    myitem = service.confs["myconf"]["mystanza"]["myitem"]
    helper.log_info("myitem={}".format(myitem))
0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎12-17-2012 03:48 AM

There are multiple ways to access config items from with custom search commands. The easiest one is to use the splunk.clilib.cli_common

from splunk.clilib import cli_common as cli
...
cfg = cli.getConfStanza('myconf','mystanza')
print cfg.get('myitem')

The alternative is to actually access the configuration via REST. You can setup the search command to retrieve an auth token via STDIN when it's called by setting passauth = true in commands.conf (enableheader has to be set to true as well). 

import splunk.entity, splunk.Intersplunk
...
settings = dict()
records = splunk.Intersplunk.readResults(settings = settings, has_header = True)
...
entity = splunk.entity.getEntity('/admin/conf-myconf','mystanza', namespace='myapp', sessionKey=settings['sessionKey'], owner='nobody')
print entity.get('myitem')

Retrieving the config via REST is the cleaner way IMO. It additionally gives you control over app/user namespace when reading the configuration.

Reply
Solved! Jump to solution

pbankar
Path Finder
‎11-15-2019 12:22 AM

Hi ziegfried, thanks for the input. How do I use the 

cli.getConfStanza('myconf','mystanza')

to get the version of my custom Add-On TA?

I tried 

cli.getMergedConf("app")

But this gives me the version of another app installed on my setup. How do I mention my TA's app.conf folder?

0 Karma
Reply
Solved! Jump to solution

highsplunker
Contributor
‎08-09-2019 08:03 AM

Thanks ziegfried, clear now.

0 Karma
Reply
Solved! Jump to solution

domgkc
Explorer
‎12-17-2012 03:08 PM

Cheers ziegfried, nice. You rock!

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...