All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sending output to a script Add-on Builder

tmontney
Builder
‎04-29-2019 03:32 PM

I've just discovered the Add-on builder. I'm stuck on one final piece. I am creating a generic Powershell script runner, as I don't see one that exists.

import subprocess
# encoding = utf-8

def process_event(helper, *args, **kwargs):
    """
    # IMPORTANT
    # Do not remove the anchor macro:start and macro:end lines.
    # These lines are used to generate sample code. If they are
    # removed, the sample code will not be updated when configurations
    # are updated.

    [sample_code_macro:start]

    # The following example gets the alert action parameters and prints them to the log
    script_path = helper.get_param("script_path")
    helper.log_info("script_path={}".format(script_path))

    script_args = helper.get_param("script_args")
    helper.log_info("script_args={}".format(script_args))


    # The following example adds two sample events ("hello", "world")
    # and writes them to Splunk
    # NOTE: Call helper.writeevents() only once after all events
    # have been added
    helper.addevent("hello", sourcetype="sample_sourcetype")
    helper.addevent("world", sourcetype="sample_sourcetype")
    helper.writeevents(index="summary", host="localhost", source="localhost")

    # The following example gets the events that trigger the alert
    events = helper.get_events()
    for event in events:
        helper.log_info("event={}".format(event))

    # helper.settings is a dict that includes environment configuration
    # Example usage: helper.settings["server_uri"]
    helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
    [sample_code_macro:end]
    """

    helper.log_info("Alert action main_alert started.")

    script_path = helper.get_param("script_path")
    script_args = helper.get_param("script_args")
    helper_events = helper.get_events()

    args = ['powershell', 'powershell','-ExecutionPolicy', 'Unrestricted', '-command', script_path]
    args.extend(script_args.split())

    subprocess.Popen(args)

    return 0

I assume helper.get_events is the search results. I want to send all events as a single argument, so something like args.extend(helper.get_events). It seems to send nothing. My Powershell params is as such:

param(
    [Parameter(Position=0,mandatory=$false)]
    [System.Object]$splunk_events
)

I'm also unsure of the object structure that it sends. Is there some kind of example of the search results, so it's easier to parse?

0 Karma
Reply

DavidHourani
Super Champion
‎05-01-2019 11:28 PM

Hi @tmontney,

helper.get_events() is what you're looking for, it's already in the code you're showing :

 # The following example gets the events that trigger the alert
 events = helper.get_events()
 for event in events:
     helper.log_info("event={}".format(event))

what would you like your ad-on to do exactly ? There is already a Powershell script runner that you can use as a modular input if that's what you're looking for.

you could follow the tutorial here for more info here : https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/CreateAlertActions

As for the list of functions you can use for alert actions, you can find everything here : https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/PythonHelperFunctions#Functions_f...

cheers,
David

Reply

tmontney
Builder
‎05-02-2019 08:19 AM

I'm already using the Powershell v3 Modular Input to get data in. I want an alert to run a Powershell script, like Splunk used to provide before it was deprecated.

What I determined is I was sending the object itself, which seems to be dict, as a parameter. Its default ToString method just outputs the name of the parameter, which lines up with what I was seeing. That's definitely not going to work, and needs to be serialized. Since it's JSON, it's very difficult to send as a parameter (Splunk also seems to use single quotes for JSON which isn't to standard).

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...