Last active
October 7, 2021 04:56
-
-
Save malvidin/572a006bc808a009e6cd845915625849 to your computer and use it in GitHub Desktop.
Splunk Python External Lookup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Configureexternallookups | |
import argparse | |
import csv | |
import sys | |
from splunklib.six import text_type | |
from splunklib.searchcommands.internals import CsvDialect | |
# MODIFY THIS: to do something useful | |
def do_something(input_str_1, input_str_2): | |
return '{input_str_1[::-1]} # {input_str_2}'.format(input_str_1=input_str_1, input_str_2=input_str_2) | |
# MODIFY THIS: to reverse it, if desired | |
def do_something_rev(output_str): | |
output_split = output_str.split(' # ') | |
input_str_1 = output_split[0] | |
input_str_2 = output_split[0][::1] | |
return input_str_1, input_str_2 | |
# MODIFY THIS: Identify which inputs need to be processed. The input_dict is mutable, so we don't need to return anything | |
def process_line(input_dict, input_field_1, input_field_2, output_field): | |
# If the input field is present and the output field is not, populate the output field | |
if input_dict[input_field_1] and input_dict[input_field_2] and not input_dict[output_field]: | |
input_dict[output_field] = do_something(input_dict[input_field_1], input_dict[input_field_2]) | |
# If the output field is present and the inputs are empty, populate the inputs | |
elif input_dict[output_field] and not input_dict[input_field_1] and not input_dict[input_field_2]: | |
input_dict[input_field_1], input_dict[input_field_2] = do_something_rev(input_dict[output_field]) | |
# Generic CSV reader/writer function, should not need modification | |
def get_csv_writer(infile, outfile, *args): | |
reader = csv.DictReader(infile, dialect=CsvDialect) | |
header = reader.fieldnames | |
for arg in args: | |
if arg not in header: | |
raise KeyError('{arg!r} from command line arguments not found in input CSV headers'.format(arg=arg)) | |
writer = csv.DictWriter(outfile, header, dialect=CsvDialect) | |
writer.writeheader() | |
return reader, writer | |
# Add/remove the add_argument sections for the number of parameters your external lookup uses | |
# MODIFY THIS: The description can be removed or modified | |
def main(): | |
parser = argparse.ArgumentParser(description='Reverse input 1, append input 2, and return in ouput') | |
# MODIFY BELOW: Start Splunk external lookup args | |
parser.add_argument( | |
'input_1', type=text_type, nargs=1, | |
help='Input string to reverse.') | |
parser.add_argument( | |
'input_2', type=text_type, nargs=1, | |
help='Input string to append') | |
parser.add_argument( | |
'output', type=text_type, nargs=1, | |
help='Output string.') | |
# MODIFY ABOVE: End Splunk external lookup args | |
parser.add_argument('-i', '--infile', nargs='?', type=argparse.FileType('r'), default=sys.stdin, | |
help='Input CSV, defaults to stdin') | |
parser.add_argument('-o', '--outfile', nargs='?', type=argparse.FileType('w'), default=sys.stdout, | |
help='Input CSV, defaults to stdout') | |
args = parser.parse_args() | |
infile = args.infile | |
outfile = args.outfile | |
# MODIFY THIS: create properly ordered list of args to process | |
arg_list = [ | |
args.input_1[0], | |
args.input_2[0], | |
args.output[0], | |
] | |
reader, writer = get_csv_writer(infile, outfile, *arg_list) | |
for line in reader: | |
process_line(line, *arg_list) | |
writer.writerow(line) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment