splunk/alert_attach.py at master · gitrc/splunk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/python
#
# alert_attach.py - This script is intended to be called from the 'Run a script' feature in Splunk Alerts
#		    The script will take a search parameter from the 'description' field of the Splunk Alert
#		    and perform another search whose output will be included as an attachment in the email
#
#                   Requires splunk-python-sdk
#
# Rod Cordova  (@gitrc)
#

import os
import sys
import subprocess
import smtplib
import gzip
import re
import csv
from StringIO import StringIO

from email.mime.multipart import MIMEMultipart
from email.mime.application import MIMEApplication
from email.mime.text import MIMEText

# gather the variables passed by splunk
splunk_scriptname = sys.argv[0]
splunk_eventcount = sys.argv[1]
splunk_searchterm = sys.argv[2]
splunk_fqs	  = sys.argv[3]
splunk_reportname = sys.argv[4]
splunk_trigger    = sys.argv[5]
splunk_url	  = sys.argv[6]
splunk_deprecated = sys.argv[7]
splunk_filepath   = sys.argv[8]

# populate the email_to and secondary search from saved search parameters
sys.path.insert(0, os.path.join(os.path.dirname(__file__), ".."))

from splunklib.client import connect

try:
    from utils import parse
except ImportError:
    raise Exception("Add the SDK repository to your PYTHONPATH to run the examples "
                    "(e.g., export PYTHONPATH=~/splunk-sdk-python.")


opts = parse(sys.argv[1:], {}, ".splunkrc")
service = connect(**opts.kwargs)

# Retrieve the saved search
mysavedsearch = service.saved_searches[splunk_reportname]

# Retrieve individual parameters to feed our script
email_recipients = mysavedsearch["action.email.to"]
email_to = re.split(r"\s*[,;]\s*", email_recipients.strip())
new_search = mysavedsearch["description"]
earliest_time = mysavedsearch["dispatch.earliest_time"]
latest_time = "now"

email_from = "splunk@example.com"

# Create message container - the correct MIME type is multipart/alternative.
msg = MIMEMultipart('mixed')
msg['Subject'] = "Splunk Alert: " + splunk_reportname
msg['From'] = email_from
msg['To'] = ", ".join(email_to)

# Create the body of the message
csv_file = gzip.open(splunk_filepath,"rb").read()

# generate table contents
html = '<table border=1>'
reader = csv.DictReader(StringIO(csv_file))

# setup the list of columns we care about
columns = '_raw,host'.split(',')

# start processing
rownum = 0
for row in reader:
	# write header row. assumes first row in csv contains header
	if rownum == 0:
		html += ('<tr>') # write <tr> tag
		for column in columns:
			html += '<th>' + column + '</th>'
  		html += '</tr>'

  	#write all other rows
  	else:
		html += '<tr>'
		for column in columns:
			html += '<td>' + row[column] + '</td>'
		html += '</tr>'

	#increment row count
	rownum += 1

html += '</table>'

# Record the MIME types of part1
part1 = MIMEText(html, 'html')

# Attach parts into message container
msg.attach(part1)

# This is the logfile attachment which will be generated from the secondary search

# Set the parameters for the search:
# - Display the first 10 results
kwargs_oneshot = {"earliest_time": earliest_time,
                  "latest_time": latest_time,
                  "output_mode": "raw"}
searchquery_oneshot = "search " + new_search
oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)

# Record the MIME types of part2
part2 = MIMEApplication(str(oneshotsearch_results))
part2.add_header('Content-Disposition', 'attachment', filename="log.txt")

# Attach parts into message container
msg.attach(part2)

# Send the message via local SMTP server
s = smtplib.SMTP('localhost')
s.sendmail(email_from, email_to, msg.as_string())
s.quit()