2

This is my script but it is not working as it is saying that sys.arg[8] is out of index range.

Splunk: Your alert can trigger a shell script or batch file, which must be located in $SPLUNK_HOME/bin/scripts. Use the following attribute/value pairs:

action.script =

Splunk currently enables you to pass arguments to scripts both as command line arguments and as environment variables. This is because command line arguments don't always work with certain interfaces, such as Windows.

The values available in the environment are as follows:

SPLUNK_ARG_0 Script name SPLUNK_ARG_1 Number of events returned SPLUNK_ARG_2 Search terms SPLUNK_ARG_3 Fully qualified query string SPLUNK_ARG_4 Name of saved search SPLUNK_ARG_5 Trigger reason (for example, "The number of events was greater than 1") SPLUNK_ARG_6 Browser URL to view the saved search SPLUNK_ARG_8 File in which the results for this search are stored (contains raw results) SPLUNK_ARG_7 is not used for historical reasons.

These can be referenced in UNIX shell as $SPLUNK_ARG_0 and so on, or in Microsoft batch files via %SPLUNK_ARG_0% and so on. In other languages (perl, python, and so on), use the language native methods to access the environment.

#! /usr/bin/python

#Install requests package for python
import requests
import csv, gzip, sys


# Set the request parameters
url = 'https://xxxxxxxxdev.service-now.com/api/now/table/new_call'
user = 'xxxxx'
pwd = 'xxxxxx'

event_count = int(sys.argv[1])  # number of events returned.
results_file = sys.argv[8]      # file with search results

# Set proper headers
headers = {"Content-Type":"application/json","Accept":"application/json"}

for row in csv.DictReader(openany(results_file)):
output="{"
for name,val in row.iteritems():
   if output!="{":
           output+=","
    output += '"'+name+'":"'+val+'"'
output+="}"

# Do the HTTP request
response = requests.post(url, auth=(user, pwd), headers=headers,     data='{"short_description":"Theo\'s Test for Splunk to SN","company":"company\'s      domain","u_source":"Service Desk","contact_type":"Alert","description":"Please     place detailed alert detail including recommended steps"}')

# Check for HTTP codes other than 200
if response.status_code != 201:
print('Status:', response.status_code, 'Headers:', response.headers, 'Error       Response:',response.json())
exit()

# Decode the JSON response into a dictionary and use the data
#resp=response.json()
 #print('Status:',response.status_code,'Headers:',response.headers,'Response:',re    sponse.json())
print response.headers['location']
}
Theo
  • 21
  • 5

1 Answers1

1

I see you are using the openany command, but haven't defined it in your code. Could that be causing the issue?

Otherwise, this should definitely be working, it matches my sample code and the code in the Splunk docs

import gzip
import csv

def openany(p):
    if p.endswith(".gz"):
        return gzip.open(p)
    else:
        return open(p)

results = sys.argv[8]
for row in csv.DictReader(openany(results)):
    # do something with row["field"]
Simon Duff
  • 2,631
  • 2
  • 7
  • 15