Skip to content

Splunk Integration

Matthias Vallentin edited this page Oct 7, 2015 · 2 revisions

splunk supports custom search commands which invoke external applications to run queries. This feature makes it possible to run VAST queries from within splunk.


  1. Add the following to [SPLUNK_HOME]/etc/system/local/commands.conf:

    filename =
    generating = true
  2. If it doesn't exist, create the directory [SPLUNK_HOME]/etc/searchscripts and put the following Python script in there, which calls VAST and converts the query into CSV:

    #!/usr/bin/env python
    import re,subprocess,sys
    # Splunk eats double quotes when parsing input, so the VAST query requires
    # preprocessing: replace double with single quotes and vice versa.
    searcharg = sys.argv[1].replace("'",'"')
    full_cmd = ['/usr/local/bin/vast', 'export', 'bro', '-h', searcharg]
    p = subprocess.Popen(full_cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE,
    # Print cmd line to stderr to show in splunk query log.
    print >> sys.stderr,full_cmd
    sep = '_'
    unset = '_'
    while True:
      out = p.stdout.readline()
      if out == '' and p.poll() != None:
      if out != '':
        if not out.startswith("#"):
          # not header. print fields CSV
        elif out.startswith("#separator"):
          # get separator from header
          sep = out[10:].strip().decode('string escape')
        elif out.startswith("#unset_field"):
          # get unset_field from header
          unset = out[12:].strip().decode('string escape')
        elif out.startswith("#fields"):
          # print fields header CSV
          # other header value. discard.


Thanks to Pedro Simoes for contributing this procedure via the VAST chat.

You can’t perform that action at this time.