forked from JustinAzoff/splunk-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbubble.py
executable file
·51 lines (36 loc) · 1.27 KB
/
bubble.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
"""bubble - re-emit a log record with superdomain
| bubble [field=host] [parts=3]
adds 'superhost' field
"""
import sys,splunk.Intersplunk
import re
ipregex = r"(?P<ip>((25[0-5]|2[0-4]\d|[01]\d\d|\d?\d)\.){3}(25[0-5]|2[0-4]\d|[01]\d\d|\d?\d))"
ip_rex = re.compile(ipregex)
def super_domain(host, output_parts):
parts = host.split(".")
num_parts = len(parts)
if output_parts > num_parts:
return host
if ip_rex.match(host):
host = '.'.join(parts[:-output_parts])
else:
host = '.'.join(parts[-output_parts:])
return host
def add_superhost(results, field, num_parts):
for r in results:
if field not in r:
continue
d = super_domain(r[field], num_parts)
r['superhost'] = d
yield r
try:
keywords, options = splunk.Intersplunk.getKeywordsAndOptions()
field = options.get('field', 'hostname')
num_parts = int(options.get('parts', 2))
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
results = list(add_superhost(results, field, num_parts))
except:
import traceback
stack = traceback.format_exc()
results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))
splunk.Intersplunk.outputResults( results )