Changes

659 bytes added , 08:04, 15 November 2019

m

no edit summary

Line 1: Line 1:

Copy requirements to /opt/splunk/lib/python2.7/site-packages

−

Including ~~SplunkLookup~~.py:<syntaxhighlight lang="python">

+

Including splunk_lookup.py:<syntaxhighlight lang="python">

import csv

import sys

Line 9: Line 9:

class SplunkLookup:

__metaclass__ = ABCMeta

−

usage = "Usage: python {} [arg1] [arg2]"

+

usage = "Usage: python {} [arg1] [arg2]".format(__file__)

def __init__(self):

Line 24: Line 24:

@staticmethod

def read_arguments():

−

~~ipfield~~ = sys.argv[2]

+

arg1 = sys.argv[1]

−

~~location~~ = sys.argv[1]

+

arg2 = sys.argv[2]

−

return ~~ipfield~~, ~~location~~

+

return arg1, arg2

@staticmethod

Line 65: Line 65:

class SplunkLookupError(object):

pass

−

</syntaxhighlight>Create your own lookup in: /opt/splunk/etc/system/bin

−

Example : geoip.py<syntaxhighlight lang="python">

from splunk_lookup import SplunkLookup

from geoip2 import database

+

from geoip2.errors import AddressNotFoundError

+

DB_PATH = '/usr/share/geoip/GeoIP2-City.mmdb'

Line 106: Line 106:

locator = Geolocator(argument_value1)

return locator.location

−

except ~~Exception as e~~:

+

except (AddressNotFoundError, ValueError, TypeError):

return 'Unknown'

Line 113: Line 113:

SplunkLookupGeoIP()

+

</syntaxhighlight>Define your lookup At Splunk (Settings > Lookups > Lookup definitions)

+

+

<br />

+

===Query Usage Example===

+

+

sourcetype="pfsense:filterlog" host="pfsenseoperacionesinternet.rra.lan" dest_int=pppoe0 direction=inbound vendor_action=block | lookup GeoIP ipaddr as src_ip OUTPUT location | stats count by src_ip, location, dest_port, vendor_action | sort -num(count), sort num(src_ip), sort str(location), sort num(dest_port)

</syntaxhighlight>

Rafahsolis

Bureaucrats, Administrators

2,306

edits

Changes

Splunk: Python Lookup (edit)

Revision as of 08:04, 15 November 2019

Navigation menu

Search