Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- """
- This script shows how to get notable events from a Splunk instance running Enterprise Security.
- This script runs using the libraries built into Splunk. You can run it like this:
- /opt/splunk/bin/splunk cmd python get_notables.py
- """
- import splunk.auth
- import splunk.search
- import time
- def get_notables(session_key, earliest, latest, max_results=10000):
- # Declare some static vars
- search = '| search `notable` | head %i' % int(max_results)
- latest_time = latest
- earliest_time = earliest
- # Kick off the search
- search_job = splunk.search.dispatch(search, earliest_time=earliest_time, latest_time=latest_time, sessionKey=session_key)
- # Wait for the search to complete
- while search_job.isDone != True:
- time.sleep(1)
- # Try to process the results
- searchID = search_job.sid
- # This is mostly a copy from the notable event REST handler:
- job = splunk.search.getJob(searchID, sessionKey=session_key)
- # Get the results so that we can process them
- dataset = getattr(job, 'events')
- return dataset
- # Authenticate
- session_key = splunk.auth.getSessionKey(username='admin', password='changeme')
- # Get the notables
- notables = get_notables(session_key, '-24h', 'now', 10)
- # Print the source of the given notable (just to show how to get the fields)
- for notable in notables:
- print notable['source']
Add Comment
Please, Sign In to add comment