Splunk Integration

Matthias Vallentin edited this page Oct 7, 2015 · 2 revisions

splunk supports custom search commands which invoke external applications to run queries. This feature makes it possible to run VAST queries from within splunk.

Setup

  1. Add the following to [SPLUNK_HOME]/etc/system/local/commands.conf:

    [vast]
    filename = eat.py
    generating = true
  2. If it doesn't exist, create the directory [SPLUNK_HOME]/etc/searchscripts and put the following Python script in there, which calls VAST and converts the query into CSV:

    #!/usr/bin/env python
    import re,subprocess,sys
    
    # Splunk eats double quotes when parsing input, so the VAST query requires
    # preprocessing: replace double with single quotes and vice versa.
    
    searcharg = sys.argv[1].replace("'",'"')
    full_cmd = ['/usr/local/bin/vast', 'export', 'bro', '-h', searcharg]
    
    p = subprocess.Popen(full_cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE,
                         stderr=sys.stderr)
    
    # Print cmd line to stderr to show in splunk query log.
    print >> sys.stderr,full_cmd
    
    sep = '_'
    unset = '_'
    
    while True:
      out = p.stdout.readline()
      if out == '' and p.poll() != None:
        break
      if out != '':
        if not out.startswith("#"):
          # not header. print fields CSV
          sys.stdout.write(('"'+"\",\"".join(out.strip().replace("\"","\"\"").split(sep))+"\"\n").replace("\""+unset+"\"",""))
        elif out.startswith("#separator"):
          # get separator from header
          sep = out[10:].strip().decode('string escape')
        elif out.startswith("#unset_field"):
          # get unset_field from header
          unset = out[12:].strip().decode('string escape')
        elif out.startswith("#fields"):
          # print fields header CSV
          sys.stdout.write(('"'+"\",\"".join(out[8:].strip().replace("\"","\"\"").split(sep))+"\"\n").replace("\"-\"",""))
        else:
          # other header value. discard.
          pass
        sys.stdout.flush()

Acknowledgements

Thanks to Pedro Simoes for contributing this procedure via the VAST chat.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.