I am creating a simple script to take a hex(base 16) encoded field and convert it to readable text. For this endeavor, I have decided to use the built-in Python function for strings "<string>.decode("hex")." I would like to use this script in a search "pipeline" running a field called packet through the statement and creating a new field of decoded text in the process.
I have read the documentation for the API splunk.Intersplunk, however, I am not 100% understanding what exactly that I need to use to complete my script. Specifically, from the examples I have seen, I do not understand what the following lines do for me?
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)
Additionally in the case of collecting results and creating the new field, is the following line needed?
results = splunk.Intersplunk.readResults(None, None, False)
So you are tracking this is what I have thus far and I believe I am close.
import sys
import splunk.Intersplunk
import string
#Program takes hex encoded string from a field and outputs value in search results at the gui
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv) #debug to see arguments I think Does it print these out?
results = splunk.Intersplunk.readResults(None, None, False)
str=""
if len(sys.argv) < 2: # make sure there is an argument passed if not return error
splunk.Intersplunk.parseError("[!] No arguments provided, please provide one argument.")
sys.exit(1)
else: #grab the string from sys.argv and make it uppercase because I like uppercase hex strings :)
str=sys.argv[1]
str=str.upper()
if all(char in string.hexdigits for char in str): # make sure all characters are hex
decoded_string = str.decode("hex")
splunk.Intersplunk.outputResults(decoded_string)
else: # return an error if its not a hex string
splunk.Intersplunk.parseError("[!] String provided is not [A-F 0-9], please validate your inputs")
sys.exit(1)
Also I am aware of the need for the STANZA setting below.
[decode_hex]
TYPE = python
FILENAME = decode_hex.py
... View more