Hi everyone,
I’ve been receiving a lot of helpful responses regarding this topic, and I truly appreciate the support. However, I’m currently stuck on how to execute a Python script via a button in Splunk and display the results on a dashboard.
Here’s the Python script I’m using:
import json
import requests
import logging
class ZabbixHandler:
def __init__(self):
self.logger = logging.getLogger('zabbix_handler')
self.ZABBIX_API_URL = "http://222.178.203.72:19005/whst/63/_knbZkgnrs//zabbix/api_jsonrpc.php" # Replace with your Zabbix API URL
self.ZABBIX_USERNAME = "user" # Replace with your Zabbix username
self.ZABBIX_PASSWORD = "password" # Replace with your Zabbix password
self.SPLUNK_HEC_URL = "http://222.178.203.72:19005/whst/63/_knbZkgnrs97.77//services/collector" # Replace with your Splunk HEC URL
self.SPLUNK_HEC_TOKEN = "myhectoken" # Replace with your Splunk HEC token
self.HEC_INDEX = "summary" # Splunk index for the logs
self.HEC_SOURCETYPE = "zabbix:audit:logs" # Splunk sourcetype
def authenticate_with_zabbix(self):
payload = {
"jsonrpc": "2.0",
"method": "user.login",
"params": {
"username": self.ZABBIX_USERNAME,
"password": self.ZABBIX_PASSWORD,
},
"id": 1,
}
response = requests.post(self.ZABBIX_API_URL, json=payload, verify=False)
response_data = response.json()
if "result" in response_data:
return response_data["result"]
else:
raise Exception(f"Zabbix authentication failed: {response_data}")
def fetch_audit_logs(self, auth_token):
payload = {
"jsonrpc": "2.0",
"method": "auditlog.get",
"params": {
"output": "extend",
"filter": {
"action": 0 # Fetch specific actions if needed
}
},
"auth": auth_token,
"id": 2,
}
response = requests.post(self.ZABBIX_API_URL, json=payload, verify=False)
response_data = response.json()
if "result" in response_data:
return response_data["result"]
else:
raise Exception(f"Failed to fetch audit logs: {response_data}")
def send_logs_to_splunk(self, logs):
headers = {
"Authorization": f"Splunk {self.SPLUNK_HEC_TOKEN}",
"Content-Type": "application/json",
}
for log in logs:
payload = {
"index": self.HEC_INDEX,
"sourcetype": self.HEC_SOURCETYPE,
"event": log,
}
response = requests.post(self.SPLUNK_HEC_URL, headers=headers, json=payload, verify=False)
if response.status_code != 200:
self.logger.error(f"Failed to send log to Splunk: {response.status_code} - {response.text}")
def handle_request(self):
try:
auth_token = self.authenticate_with_zabbix()
logs = self.fetch_audit_logs(auth_token)
self.send_logs_to_splunk(logs)
return {"status": "success", "message": "Logs fetched and sent to Splunk successfully."}
except Exception as e:
self.logger.error(f"Error during operation: {str(e)}")
return {"status": "error", "message": str(e)}
if __name__ == "__main__":
handler = ZabbixHandler()
response = handler.handle_request()
print(json.dumps(response))
My restmap.conf
[script:zabbix_handler]
match = /zabbix_handler
script = zabbix_handler.py
handler = python
output_modes = json
Current Status:
The script is working correctly, and I am successfully retrieving data from Zabbix and sending it to Splunk. The logs are being indexed in Splunk’s summary index, and I can verify this via manual execution of the script.
Requirements:
- I want to create a button in a Splunk dashboard that, when clicked, executes the above Python script.
- The script (zabbix_handler.py) is located in the /opt/splunk/bin/ directory.
- The script extracts logs from Zabbix, sends them to Splunk’s HEC endpoint, and stores them in the summary index.
After the button is clicked and the script is executed, I would like to display the query results from index="summary" on the same dashboard.
Questions:
- JavaScript for the Button: How should I write the JavaScript code for the button to execute this script and display the results?
- Placement of JavaScript Code: Where exactly in the Splunk app directory should I place the JavaScript code?
- Triggering the Script: How can I integrate this setup with Splunk’s framework to ensure the Python script is executed and results are shown in the dashboard?
