I've just discovered the Add-on builder. I'm stuck on one final piece. I am creating a generic Powershell script runner, as I don't see one that exists.
import subprocess
# encoding = utf-8
def process_event(helper, *args, **kwargs):
"""
# IMPORTANT
# Do not remove the anchor macro:start and macro:end lines.
# These lines are used to generate sample code. If they are
# removed, the sample code will not be updated when configurations
# are updated.
[sample_code_macro:start]
# The following example gets the alert action parameters and prints them to the log
script_path = helper.get_param("script_path")
helper.log_info("script_path={}".format(script_path))
script_args = helper.get_param("script_args")
helper.log_info("script_args={}".format(script_args))
# The following example adds two sample events ("hello", "world")
# and writes them to Splunk
# NOTE: Call helper.writeevents() only once after all events
# have been added
helper.addevent("hello", sourcetype="sample_sourcetype")
helper.addevent("world", sourcetype="sample_sourcetype")
helper.writeevents(index="summary", host="localhost", source="localhost")
# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:
helper.log_info("event={}".format(event))
# helper.settings is a dict that includes environment configuration
# Example usage: helper.settings["server_uri"]
helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
[sample_code_macro:end]
"""
helper.log_info("Alert action main_alert started.")
script_path = helper.get_param("script_path")
script_args = helper.get_param("script_args")
helper_events = helper.get_events()
args = ['powershell', 'powershell','-ExecutionPolicy', 'Unrestricted', '-command', script_path]
args.extend(script_args.split())
subprocess.Popen(args)
return 0
I assume helper.get_events
is the search results. I want to send all events as a single argument, so something like args.extend(helper.get_events)
. It seems to send nothing. My Powershell params is as such:
param(
[Parameter(Position=0,mandatory=$false)]
[System.Object]$splunk_events
)
I'm also unsure of the object structure that it sends. Is there some kind of example of the search results, so it's easier to parse?
Hi @tmontney,
helper.get_events() is what you're looking for, it's already in the code you're showing :
# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:
helper.log_info("event={}".format(event))
what would you like your ad-on to do exactly ? There is already a Powershell script runner that you can use as a modular input if that's what you're looking for.
you could follow the tutorial here for more info here : https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/CreateAlertActions
As for the list of functions you can use for alert actions, you can find everything here : https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/PythonHelperFunctions#Functions_f...
cheers,
David
I'm already using the Powershell v3 Modular Input to get data in. I want an alert to run a Powershell script, like Splunk used to provide before it was deprecated.
What I determined is I was sending the object itself, which seems to be dict
, as a parameter. Its default ToString
method just outputs the name of the parameter, which lines up with what I was seeing. That's definitely not going to work, and needs to be serialized. Since it's JSON, it's very difficult to send as a parameter (Splunk also seems to use single quotes for JSON which isn't to standard).