I'll show you how to use Python to process Splunk execution results.
Use the following method to receive the execution result of Splunk on Python.
python
splunk.Intersplunk.getOrganizedResults(input_str = None)
This method returns the result of the search statement just before execution in the form of a dictionary list. For example, in the case of the execution result shown in the figure below
The form returned by the method is as follows. The field name is the key to the dictionary.
python
[{'_time':'2017-09-01 05:05:14', 'MAC':'66:22:33:44:55:66'}
{'_time':'2017-09-01 05:13:16', 'MAC':'11:22:33:44:55:66'}
{'_time':'2017-09-01 05:13:19', 'MAC':'11:22:33:44:55:66'}]
Contrary to the above, use the following method to pass data from Python to Splunk.
python
splunk.Intersplunk.outputResults(results, messages = None, fields = None, mvdelim = '\n', outputfile = sys.stdout)
The required argument "results" is a list of dictionaries, just like the "results" returned by "getOrganizedResults". You can also write to a file by specifying a file object in the argument "outputfile".
As a usage example, if the resulting "MAC" field received from Splunk is "11: 22: 33: 44: 55: 66", set "known" in the "decision" field, otherwise set "unknown". Then, save the result to a CSV file and create a custom search command to display in Splunk.
In addition, how to make a custom search command using Python in Splunk is introduced below, so if you do not know it, please refer to it. How to create a custom search command (Splunk)
Use the following wireless LAN AP logs as sample logs. (The MAC address is listed after STA.)
python
2017/09/01 09:13:51 LAN WLAN(STA_DEAUTH): STA(11:22:33:44:55:66) is deauthed!
2017/09/01 09:13:34 LAN WLAN(RSN_CONNECT): STA(11:22:33:44:55:66) is associated!
2017/09/01 09:04:29 LAN WLAN(STA_DEAUTH): STA(11:22:33:44:55:66) is deauthed!
2017/09/01 09:04:23 LAN WLAN(RSN_CONNECT): STA(11:22:33:44:55:66) is associated!
2017/09/01 08:34:09 LAN WLAN(STA_DEAUTH): STA(11:22:33:44:55:66) is deauthed!
2017/09/01 08:34:01 LAN WLAN(RSN_CONNECT): STA(11:22:33:44:55:66) is associated!
2017/09/01 08:03:48 LAN WLAN(STA_DEAUTH): STA(11:22:33:44:55:66) is deauthed!
2017/09/01 08:03:42 LAN WLAN(RSN_CONNECT): STA(11:22:33:44:55:66) is associated!
2017/09/01 07:36:51 LAN WLAN(STA_DEAUTH): STA(33:22:33:44:55:66) is deauthed!
2017/09/01 07:36:35 LAN WLAN(RSN_CONNECT): STA(33:22:33:44:55:66) is associated!
2017/09/01 07:34:18 LAN WLAN(STA_DEAUTH): STA(11:22:33:44:55:66) is deauthed!
2017/09/01 07:34:10 LAN WLAN(RSN_CONNECT): STA(11:22:33:44:55:66) is associated!
The Python code looks like this.
check_mac_address.py
import splunk.Intersplunk
#Receive Splunk search results
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
#Judge by looking at the MAC address
for result in results:
if result['MAC'] == '11:22:33:44:55:66':
result['decision'] = 'known'
else:
result['decision'] = 'unknown'
#Save the processing result as a CSV file
splunk.Intersplunk.outputResults(results, outputfile = open("result.csv","w"))
#Display processing results on Splunk
splunk.Intersplunk.outputResults(results)
In the following search statement, pass the processing result of Splunk to the created custom search.
python
index=ap_idx
|rex field=_raw "STA\((?<MAC>.*)\)"
|table _time MAC
|run check_mac_address
It will be displayed on Splunk as shown below, and the result will be saved as "result.csv" in the same directory as the script.
Recommended Posts