Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Best way to implement an external script

responsys_cm
Builder
‎06-13-2013 05:28 PM

We're using Splunk to index events from Bit9 and interact with its API to ban/approve files. We've written a python script that takes a number of command-line switches and values that we want Splunk to be able to run.

I'm unclear if the best approach is to make a custom search command, use "| script..." from the pipeline, or if I should alert off each event and run the script from there.

So if each event has the fields: hostname, host_id, is_installer, approval_type, hash

I want to run something like this for each event:

python Bit9_API -h $host_id$ -i $is_installer$ -a $approval_type$ -H $hash$

What's the smartest way to do this?

Thanks.

C

Tags (1)
Reply

RichaSingh
Path Finder
‎11-20-2014 12:54 AM

I am having a similar set up where I have integrated a script to accept field values from live streaming events. The whole system integration works just fine. For instance, when I run as , " | script python script-name singleIP " where IP address is that picked from a single event; it works fine.

But my only concern is to automate this for all the events in the selected time range & the field rather than a single value.
I already tried luck with " *| script python script-name $IP$ * ", where IP is the extracted field holding over 2000 IPs.
But script doesn't seem to identify & read values in there then.

I am just bothered if any splunk event streaming input-output APIs I am missing to include in the script before automating this?
Kindly help me to figure the best & optimal path.

0 Karma
Reply

suryaavinash
Explorer
‎03-20-2018 06:28 PM

Hi Richa ,

Any luck with " | script python script-name $IP$ " . Did you get any alternative for this ?

I have a similar requirement and came across this post

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎06-21-2013 03:51 PM

Neither way is really any smarter than the other. Instead it depends on which direction you want to go, and which kind of custom python you want to maintain - python code that is run only when one or more alerts fire, or code that can be run in any search and happens to be used in some particular scheduled searches.

That said, if we're talking about a very large number of events in the tens of thousands or higher, I think it's probably best to do it as a streaming search command. I'm not sure if scripts that run on alerts are even given the entire set of events - my suspicion is that it is capped at something like 10K or 50K.

And even if it wasn't a particularly high number of events, unless there was some other reason against the search command direction, I'd probably go that way just cause it's more open and in the long run leads to you having to learn a more powerful and generally useful kind of customization.

Reply

responsys_cm
Builder
‎06-21-2013 10:55 AM

They would all be field values coming from each incoming event.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎06-21-2013 09:39 AM

Are some or all of those $foo$ tokens representing values that would be field values in each of the incoming events?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...