Splunkpy search (#1717)

* add enhancement script for splunk search * add to indicator types SplunkSearchPy * use cmd only in depnds on
demisto · Jun 26, 2018 · 9efbb45 · 9efbb45
1 parent 307d8d0
commit 9efbb45
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 5 deletions.
diff --git a/Misc/reputations.json b/Misc/reputations.json
@@ -47,7 +47,8 @@
       "details": "IP",
       "enhancementScriptNames": [
         "IPReputation",
-        "SplunkSearch"
+        "SplunkSearch",
+        "SplunkPySearch"
       ],
       "formatScript": "UnEscapeIPs",
       "fromVersion": "3.5.1"
@@ -74,7 +75,8 @@
       "enhancementScriptNames": [
         "FileReputation",
         "SplunkSearch",
-        "WildfireReport"
+        "WildfireReport",
+        "SplunkPySearch"
       ],
       "fromVersion": "3.1.0"
     },
@@ -100,7 +102,8 @@
       "enhancementScriptNames": [
         "FileReputation",
         "SplunkSearch",
-        "WildfireReport"
+        "WildfireReport",
+        "SplunkPySearch"
       ],
       "fromVersion": "3.1.0"
     },
@@ -126,7 +129,8 @@
       "enhancementScriptNames": [
         "FileReputation",
         "SplunkSearch",
-        "WildfireReport"
+        "WildfireReport",
+        "SplunkPySearch"
       ],
       "fromVersion": "3.1.0"
     },
@@ -174,7 +178,8 @@
       "details": "URL",
       "enhancementScriptNames": [
         "URLReputation",
-        "SplunkSearch"
+        "SplunkSearch",
+        "SplunkPySearch"
       ],
       "formatScript": "UnEscapeURLs",
       "contextPath": "URL(val.Data && val.Data === obj.Data)",

diff --git a/Scripts/script-SplunkPySearch.yml b/Scripts/script-SplunkPySearch.yml
@@ -0,0 +1,34 @@
+commonfields:
+  id: SplunkPySearch
+  version: -1
+name: SplunkPySearch
+script: |-
+  query = demisto.args()['query']
+  rows = demisto.args()['rows']
+
+  query = query + ' | head ' + rows
+  res = demisto.executeCommand('splunk-search',{'using-brand': 'splunkpy', 'query': query})
+
+  if (res and len(res)>0 and res[0]['Contents']):
+      demisto.results({"Type": 1, "Contents": res[0]['Contents'], "ContentsFormat": "json", "EntryContext": {},
+          "HumanReadable": tableToMarkdown("Splunk Search results for: " + query, res[0]['Contents'], "")})
+  else:
+      demisto.results('No results.')
+type: python
+tags:
+- enhancement
+- splunk
+comment: Run a query through Splunk and format the results as a table
+enabled: true
+args:
+- name: query
+  required: true
+  default: true
+  description: Splunk query to execute
+- name: rows
+  description: Return up to X first rows. If omitted, defaults to 10.
+  defaultValue: "10"
+scripttarget: 0
+dependson:
+  must:
+  - splunk-search