-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsplunk-export.sh
executable file
·171 lines (161 loc) · 6.26 KB
/
splunk-export.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#!/bin/bash
# Splunk Export script that will use the Splunk API to perform and export searches.
# Created By: Jeremy Davis
# Version: 1.0.0
OPTION='null'
DISPATCHSTATE='null'
## Obtain the first argument to determine what to run.
case "$1" in
--help)
echo "To perform a new search either provide no options or: --search."
echo "To export an existing job use: --export"
;;
--search)
OPTION='search'
;;
--export)
OPTION='export'
JOBSTATUS='RUNNING'
;;
*)
OPTION='search'
esac
## Obtain the username, password, and search query and assign it to variables.
clear
echo "Enter LDAP Username:"
read USERNAME
clear
echo "Enter Password:"
read -s PASSWD
if [ "$OPTION" = "search" ]
then
clear
echo "Enter Splunk Search Query:"
echo "NOTE: Make sure you limit the search as this will pull all logs and could take some time."
read QUERY
fi
clear
echo "Enter Search Name:"
echo "NOTE: This name will be used to store the exported logs from Splunk under /tmp/ and be used as the Job ID. Output will be in csv format."
read FILENAME
clear
## Display what we are about to do.
echo "Your username: $USERNAME"
echo "Your Query: $QUERY"
echo "Your Query Name/Filename: $FILENAME"
## If the option is set to search start performing the search.
if [ "$OPTION" = "search" ]
then
echo "Scheduling Splunk Search. Please wait..."
## Schedule the search and obtain the run ID in order to pull data.
JOBADDOUT=`curl -u $USERNAME:$PASSWD -d search="$QUERY" -d id="$FILENAME" -d timeout=14400 -k https://splunk.sendgrid.net:8089/services/search/jobs/ -s`
## Verify the username and password were correct.
echo "$JOBADDOUT" | grep -qoi "Unauthorized"
## Make sure the username and password were correct and the job was actaully created.
if [ "$?" = "0" ]
then
echo "Authentication Failed!"
echo "Check your username and password and try again"
exit 1
fi
## Obtain the JobID from the JOBADDOUT data.
TEMPJOBID=`echo "$JOBADDOUT" | xml_grep 'sid' --text_only`
## Verify the TEMPJOBID matches the provided search name. Set the JOBID in order to be used for further processing.
if [ "$TEMPJOBID" = "$FILENAME" ]
then
JOBID="$TEMPJOBID"
OPTION="export"
JOBSTATUS="RUNNING"
echo "Please make note of the Job ID in order to pull the results if you loose your connection or the script stops for some reason."
echo "JOBID: $JOBID"
echo " "
echo "NOTE: The job that was created will be automaticly removed in 4 hours."
else
echo "The Job ID wasn't created correctly. Please check everything and try again!"
echo "Your username: $USERNAME"
echo "Your Query: $QUERY"
echo "Your Query Name/Filename: $FILENAME"
exit 1
fi
fi
## If the option is --export just run the status code.
if [ "$OPTION" = "export" ]
then
JOBID="$FILENAME"
## Wait until the job finishes if there are any issues alert the user.
while [ "$JOBSTATUS" = "RUNNING" ]
do
JOBSTATUSOUT=`curl -u $USERNAME:$PASSWD -k https://splunk.sendgrid.net:8089/services/search/jobs/$JOBID -s`
## Verify the username and password were correct.
echo "$JOBSTATUSOUT" | grep -qoi "Unauthorized"
## Make sure the username and password were correct and the job was actaully created.
if [ "$?" = "0" ]
then
echo "Authentication Failed!"
echo "Check your username and password and try again"
exit 1
fi
## Pull the dispatchstate to determine if the search is finished.
DISPATCHSTATE=`echo "$JOBSTATUSOUT" | grep dispatchState | cut -d">" -f2 | cut -d"<" -f1`
case "$DISPATCHSTATE" in
QUEUED)
echo "The job is queued. Please wait..."
sleep 30
;;
PARSING)
echo "The job is parsing. Please wait..."
sleep 30
;;
RUNNING)
echo "The job is running. Please wait..."
sleep 30
;;
PAUSED)
echo "The job $FILENAME has been pasued. Login to Splunk to determine what the cause is."
exit 1
;;
FINALIZING)
echo "The job is finalizing. Please wait..."
sleep 30
;;
FAILED)
echo "The job $FILENAME has failed! Login to Splunk to determine what the cause is."
exit 1
;;
DONE)
JOBSTATUS=DONE
;;
*)
echo "Something has gone wrong!"
echo "$JOBSTATUSOUT"
exit 1
esac
clear
if [ "$JOBSTATUS" = 'RUNNING' ]
then
echo "Job is still processing. Please wait..."
else
echo "Job is being exported to /tmp/$FILENAME. Please wait..."
fi
done
## Once the job has finished its time to pull the data.
if [ "$JOBSTATUS" = 'DONE' ]
then
DATAEXPORT=`curl -u $USERNAME:$PASSWD -k https://splunk.sendgrid.net:8089/services/search/jobs/$JOBID/results/ --get -d output_mode=csv -s`
## Verify the username and password were correct.
echo "$DATAEXPORT" | grep -qoi "Unauthorized"
## Make sure the username and password were correct and the job was actaully created.
if [ "$?" = "0" ]
then
echo "Authentication Failed!"
echo "Check your username and password and try again"
echo "$DATAEXPORT"
exit 1
fi
echo "$DATAEXPORT" > /tmp/$FILENAME
fi
fi
## If everything finished let the user know and exit clean.
echo "Finished!! Please open /tmp/$FILENAME to view the exported data."
echo "NOTE: The job that was created will be automaticly removed in 4 hours."
exit 0