Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I get search results field data out of Splunk?

heat
New Member
‎10-30-2018 11:12 AM

I asked this question on another support forum recently but didn't find a solution. Hoping for better results here.

I have created an eventtype in splunk for IPv6 firewall threat logs.

eventtype="IPv6 Threat"

I have the following fields of interest in my eventtype (with example data).

Time - 2018/10/29 02:40:59
IPv6_src - 2002::1
IPv6_dst - 2002::2
Level - critical/high/medium
Vulnerability - Drupal RCE

I want to send this data out of splunk for all matching events within a given search timeframe.

I realize there are many ways to skin a cat here, so if you have a best practice solution for it, please feel free to suggest tackling this another way.

Ideally I want to feed those 5 fields to a script via command line arguments like so:

$SPLUNK_HOME/bin/scripts/myScript.py Time IPv6_src IPv6_dst Level Vulnerability

I have tried setting up an alert.

Search eventtype="IPv6 Threat"
Number of results > 0
Trigger For each result
Trigger Action > Run a script
Filename myScript.py

This does nothing. I look in splunk's audit.log and I can see the alert fire, it finds results, but I never see it call the script (yes I made sure Splunk can run the script).

I'm not even sure how I'd tell it what fields to pass the script setting up an alert anyway. I do know how to reference results like $result.Time$ $result.IPv6_src$ etc.

I've also read I can somehow tell splunk to run a script by putting it in a search? The documentation for this is really confusing though.

If the script thing is a dead end...I can manage doing it some other way. If splunk can just dump the results into a flat file on the system, I can write a script to parse the file outside of splunk and pull the fields out that way too.

Is Splunk even the right tool for this?

I could have written an OSSEC decoder for these firewall logs in like 10 minutes and been on my way but I'm trying to learn how to get the most out of Splunk.

Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-01-2018 06:48 AM

@heat

Setting up alert is a good approach. But you can't execute myScript.py directly from an alert. You have to call another script, which will execute myScript.py. Bcoz Splunk will pass it's predefined parameters when executing a script from the alert.

Check this link.
https://docs.splunk.com/Documentation/Splunk/7.2.0/Alert/Configuringscriptedalerts

just create a script test.py and set this script in your alert.

import gzip
 import csv
 from subprocess import call
 def openany(p):
     if p.endswith(".gz"):
         return gzip.open(p)
     else:
         return open(p)
 results_file = sys.argv[8]      # file with search results
 for row in csv.DictReader(openany(results_file)):
     # Build a command line to call based on fields from splunk output
     my_command = [ "myScript.py", row["Time"],row["IPv6_src"],row["IPv6_dst"],row["Level"],row["Vulnerability"], ]
     call(my_command)

Try it and let me know if any issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...