Process Splunk execution results using Python and save to a file

I'll show you how to use Python to process Splunk execution results.

Receive Splunk execution results

Use the following method to receive the execution result of Splunk on Python.

python


  splunk.Intersplunk.getOrganizedResults(input_str = None)

This method returns the result of the search statement just before execution in the form of a dictionary list. For example, in the case of the execution result shown in the figure below スクリーンショット 2017-09-18 15.01.36.png

The form returned by the method is as follows. The field name is the key to the dictionary.

python


[{'_time':'2017-09-01 05:05:14', 'MAC':'66:22:33:44:55:66'}
 {'_time':'2017-09-01 05:13:16', 'MAC':'11:22:33:44:55:66'}
 {'_time':'2017-09-01 05:13:19', 'MAC':'11:22:33:44:55:66'}]

Pass (display) the processing result in Python to Splunk and write it to a file

Contrary to the above, use the following method to pass data from Python to Splunk.

python


splunk.Intersplunk.outputResults(results, messages = None, fields = None, mvdelim = '\n', outputfile = sys.stdout)

The required argument "results" is a list of dictionaries, just like the "results" returned by "getOrganizedResults". You can also write to a file by specifying a file object in the argument "outputfile".

Example of use

As a usage example, if the resulting "MAC" field received from Splunk is "11: 22: 33: 44: 55: 66", set "known" in the "decision" field, otherwise set "unknown". Then, save the result to a CSV file and create a custom search command to display in Splunk.

In addition, how to make a custom search command using Python in Splunk is introduced below, so if you do not know it, please refer to it. How to create a custom search command (Splunk)

Use the following wireless LAN AP logs as sample logs. (The MAC address is listed after STA.)

python


2017/09/01 09:13:51  LAN  WLAN(STA_DEAUTH): STA(11:22:33:44:55:66) is deauthed!
2017/09/01 09:13:34  LAN  WLAN(RSN_CONNECT): STA(11:22:33:44:55:66) is associated!
2017/09/01 09:04:29  LAN  WLAN(STA_DEAUTH): STA(11:22:33:44:55:66) is deauthed!
2017/09/01 09:04:23  LAN  WLAN(RSN_CONNECT): STA(11:22:33:44:55:66) is associated!
2017/09/01 08:34:09  LAN  WLAN(STA_DEAUTH): STA(11:22:33:44:55:66) is deauthed!
2017/09/01 08:34:01  LAN  WLAN(RSN_CONNECT): STA(11:22:33:44:55:66) is associated!
2017/09/01 08:03:48  LAN  WLAN(STA_DEAUTH): STA(11:22:33:44:55:66) is deauthed!
2017/09/01 08:03:42  LAN  WLAN(RSN_CONNECT): STA(11:22:33:44:55:66) is associated!
2017/09/01 07:36:51  LAN  WLAN(STA_DEAUTH): STA(33:22:33:44:55:66) is deauthed!
2017/09/01 07:36:35  LAN  WLAN(RSN_CONNECT): STA(33:22:33:44:55:66) is associated!
2017/09/01 07:34:18  LAN  WLAN(STA_DEAUTH): STA(11:22:33:44:55:66) is deauthed!
2017/09/01 07:34:10  LAN  WLAN(RSN_CONNECT): STA(11:22:33:44:55:66) is associated!

The Python code looks like this.

check_mac_address.py


import splunk.Intersplunk

#Receive Splunk search results
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()

#Judge by looking at the MAC address
for result in results:
    if result['MAC'] == '11:22:33:44:55:66':
        result['decision'] = 'known'
    else:
        result['decision'] = 'unknown'

#Save the processing result as a CSV file
splunk.Intersplunk.outputResults(results, outputfile = open("result.csv","w"))

#Display processing results on Splunk
splunk.Intersplunk.outputResults(results)

In the following search statement, pass the processing result of Splunk to the created custom search.

python


index=ap_idx
|rex field=_raw "STA\((?<MAC>.*)\)"
|table _time MAC
|run check_mac_address

It will be displayed on Splunk as shown below, and the result will be saved as "result.csv" in the same directory as the script. スクリーンショット 2017-09-18 21.10.43.png

Recommended Posts

Process Splunk execution results using Python and save to a file
Try creating a compressed file using Python and zlib
[Python] You can save an object to a file by using the pickle module.
Save the pystan model and results in a pickle file
I tried to make a periodical process with Selenium and Python
Output search results of posts to a file using Mattermost API
How to split and save a DataFrame
From Python to using MeCab (and CaboCha)
[Python] How to scrape a local html file and output it as CSV using Beautiful Soup
How to divide and process a data frame using the groupby function
I tried to create a sample to access Salesforce using Python and Bottle
I want to make a web application using React and Python flask
Python --Get bitcoin rate BTC / JPY from bitflyer at regular intervals and save it to a file
How to read a CSV file with Python 2/3
Create a GIF file using Pillow in Python
[Python] Split a large Flask file using Blueprint
How to create a JSON file in Python
Create a web map using Python and GDAL
Output python log to both console and file
I tried reading a CSV file using Python
Save the object to a file with pickle
Export Python3 version OpenCV KeyPoint to a file
Run a Python file from html using Django
Create a Mac app using py2app and Python3! !!
Create a MIDI file in Python using pretty_midi
I want to write to a file with Python
I tried to make a periodical process with CentOS7, Selenium, Python and Chrome
Try to get a web page and JSON file using Python's Requests library
Attempt to launch another .exe and save the console output to a text file
[Python] Concatenate a List containing numbers and write it to an output file.
Save an array of numpy to a wav file using the wave module
[Python] Smasher tried to make the video loading process a function using a generator
A complete guidebook to using pyenv, pip and python in an offline environment
How to read a serial number file in a loop, process it, and graph it
How to execute a schedule by specifying the Python time zone and execution frequency
How to set up a Python environment using pyenv
Created a module to monitor file and URL updates
[Python3] Connection to Oracle Database and SQL execution [cx_Oracle]
I made a login / logout process using Python Bottle.
(Python) Try to develop a web application using Django
A memorandum to run a python script in a bat file
Daemonize a Python process
I want to randomly sample a file in Python
Connect realsense D435 to a PC with ubuntu 16.04 installed and save depth videos with python
A story about a Python beginner trying to get Google search results using the API
Implementing a generator using Python> link> yield and next ()> yield
How to make a Python package using VS Code
How to save a table scraped by python to csv
[Mac] A super-easy way to execute system commands in Python and output the results
Python script to create a JSON file from a CSV file
Save lists, dictionaries and tuples to external files python
How to execute a command using subprocess in Python
Output a binary dump in binary and revert to a binary file
[Python] Start a batch file from Python and pass variables.
How to build a Python virtual execution environment using Visual Studio Code and pipenv on a Windows machine (also Jupyter notebook)
[C / C ++] Pass the value calculated in C / C ++ to a python function to execute the process, and use that value in C / C ++.
Python --Read data from a numeric data file to find the covariance matrix, eigenvalues, and eigenvectors
A story that makes it easy to estimate the living area using Elasticsearch and Python
I want to create a karaoke sound source by separating instruments and vocals using Python
I want to make a voice changer using Python and SPTK with reference to a famous site
Try to make it using GUI and PyQt in Python