Splunk Python External Lookup
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Configureexternallookups | |
| import argparse | |
| import csv | |
| import sys | |
| from splunklib.six import text_type | |
| from splunklib.searchcommands.internals import CsvDialect | |
| # MODIFY THIS: to do something useful | |
| def do_something(input_str_1, input_str_2): | |
| return '{input_str_1[::-1]} # {input_str_2}'.format(input_str_1=input_str_1, input_str_2=input_str_2) | |
| # MODIFY THIS: to reverse it, if desired | |
| def do_something_rev(output_str): | |
| output_split = output_str.split(' # ') | |
| input_str_1 = output_split[0] | |
| input_str_2 = output_split[0][::1] | |
| return input_str_1, input_str_2 | |
| # MODIFY THIS: Identify which inputs need to be processed. The input_dict is mutable, so we don't need to return anything | |
| def process_line(input_dict, input_field_1, input_field_2, output_field): | |
| # If the input field is present and the output field is not, populate the output field | |
| if input_dict[input_field_1] and input_dict[input_field_2] and not input_dict[output_field]: | |
| input_dict[output_field] = do_something(input_dict[input_field_1], input_dict[input_field_2]) | |
| # If the output field is present and the inputs are empty, populate the inputs | |
| elif input_dict[output_field] and not input_dict[input_field_1] and not input_dict[input_field_2]: | |
| input_dict[input_field_1], input_dict[input_field_2] = do_something_rev(input_dict[output_field]) | |
| # Generic CSV reader/writer function, should not need modification | |
| def get_csv_writer(infile, outfile, *args): | |
| reader = csv.DictReader(infile, dialect=CsvDialect) | |
| header = reader.fieldnames | |
| for arg in args: | |
| if arg not in header: | |
| raise KeyError('{arg!r} from command line arguments not found in input CSV headers'.format(arg=arg)) | |
| writer = csv.DictWriter(outfile, header, dialect=CsvDialect) | |
| writer.writeheader() | |
| return reader, writer | |
| # Add/remove the add_argument sections for the number of parameters your external lookup uses | |
| # MODIFY THIS: The description can be removed or modified | |
| def main(): | |
| parser = argparse.ArgumentParser(description='Reverse input 1, append input 2, and return in ouput') | |
| # MODIFY BELOW: Start Splunk external lookup args | |
| parser.add_argument( | |
| 'input_1', type=text_type, nargs=1, | |
| help='Input string to reverse.') | |
| parser.add_argument( | |
| 'input_2', type=text_type, nargs=1, | |
| help='Input string to append') | |
| parser.add_argument( | |
| 'output', type=text_type, nargs=1, | |
| help='Output string.') | |
| # MODIFY ABOVE: End Splunk external lookup args | |
| parser.add_argument('-i', '--infile', nargs='?', type=argparse.FileType('r'), default=sys.stdin, | |
| help='Input CSV, defaults to stdin') | |
| parser.add_argument('-o', '--outfile', nargs='?', type=argparse.FileType('w'), default=sys.stdout, | |
| help='Input CSV, defaults to stdout') | |
| args = parser.parse_args() | |
| infile = args.infile | |
| outfile = args.outfile | |
| # MODIFY THIS: create properly ordered list of args to process | |
| arg_list = [ | |
| args.input_1[0], | |
| args.input_2[0], | |
| args.output[0], | |
| ] | |
| reader, writer = get_csv_writer(infile, outfile, *arg_list) | |
| for line in reader: | |
| process_line(line, *arg_list) | |
| writer.writerow(line) | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment