February 16, 2014: 9:41 pm: Programming, Splunk

A big thanks to the members of the @SplunkDev team that were helpful and patient with my questions while I pulled this together. Thanks Guys: @gblock, @damiendallimore‎ and David Noble

In Splunk circles, you often hear about the holy grail of using Splunk to actively control other systems. It can be hard to find details or good examples on HOW to do it. I am always working on something new that deepens my technical skills. I had not previously dealt with REST APIs or Splunk alert scripts and this post is the result. Used well you can replace manual daily operations tasks; changing Splunk from a tool into a team member.

We will cover a working example of using Splunk alert results to update a Google Spreadsheet via the Drive Python SDK. Once you understand how it works, you can make you own controls of any system that supports REST API calls such as an Intrusion Prevention System to block a list of IP addresses using a scheduled Splunk alert.

We will leverage a Splunk blog post on saving credentials in a Splunk App to avoid leaving our Google credentials hard coded and exposed in the alert script. It turns out alert scripts work in the same way but it is not well documented. I built a Python class for retrieving those credentials from Splunk so you could re-use the code across many alert scripts. The scripts can all be found in the supporting GitHub repo. You will be able to use these as a framework for your own alert scripts to drive actions in other systems. I will not be stepping through the code itself as it is fairly well commented. There are plenty of moving parts to this so you need to be an experienced Splunk administrator to get it working. The benefit is that once you get one working you can just make new variants with little effort.



January 19, 2014: 11:30 am: Programming, Splunk

Splunk is a great tool for digging into data and presenting the results. Sometimes, you just want a status board of results that comes to you without having to log into a web application. A wonderful app for this is the iPad app statusboard by Panic software.

You always could create a panel on your statusboard that links to a URL of a file for presentation. However, this means your data is not protected by authentication. Panic added Dropbox support so you can now make a panel that pulls from a csv or json file. You can also airplay to an AppleTV or direct connect the iPad to a TV to present the dashboard on a large display.

In this post I will cover how I combined a Splunk alert script in python, dropbox and statusboard to get the result below. I am displaying the number of failed login attempts against my wordpress blog by country code for the previous 7 days. Keep in mind this is a Splunk instance running on my laptop with minimally sensitive information. I would never run dropbox directly on a work related production Splunk server. An alternative method would be to run a scheduled script that pulls the results out of Splunk via the REST api and write it out to a csv in the dropbox folder. I will do that version of this post in the future.



January 18, 2014: 6:30 pm: Programming, Splunk

I want to start making some custom alert scripts. As usual, I like to practice by using a live example. I have SSH remote access and Apache enabled on my laptop. When at work I keep a map up in Splunk on my laptop showing the source ip location of any attempts to connect to my laptop. If you start beating on my laptop it results in an instant ban hammer in the network IPS.

I sometimes miss seeing the map updates when busy. If I had an alert history that is quickly accessible it would be easier to handle the scanning systems. I decided on this alert to test the hits on apache that runs every 15 minutes. These logs just happen to go into an index called os_osx. I tagged the combined_access source type as \”web\”.

index=os_osx tag=web | stats count by clientip

Now the fun part. I am working on my python skills so I did the alert script in python. This required me to call the OSX shell command osascript in order to execute the Apple Script that generates the actual Notification Center message. It took a minute of experimentation to get the right combination of escaped quotes to build the Apple Script command.

We get a result like this:


And here is the alert script that I saved as osx-alert.py in the /Applications/splunk/bin/scripts folder on my laptop. That is the script I chose to call on the search above when saved as an alert.

import os
import csv
import gzip
from subprocess import call

if __name__ == \"__main__\":

# Obtain the path to the alert events compressed file
        alertEventsFile = os.environ[\'SPLUNK_ARG_8\']

# Handle to the csv contents of the alerts events compressed file
        eventContents = csv.reader(gzip.open(alertEventsFile, \'rb\'))

# Assign the contents to a list iterator and skip the header line of the table. 
        alert_iterator = iter(eventContents)

# Send a notification for each source ip in the alert results table. We grab the IP and count from the columns in each row of the stats count csv format output from Splunk.
        for line in alert_iterator:
                message = \"ALERT: \"+line[1]+\" connections from ip: \"+line[0]+\" in past 15 minutes.\"
                call([\"osascript\",\"-e\",\"display notification \"\"+message+\"\" with title \"Splunk\"\"])
December 17, 2011: 12:48 am: General, Privacy

I like to remind folks when moving their Apple laptop to public wifi that they need to remember to turn off the iLife application sharing such as iTunes and iPhoto. Then turn on their firewall.

So here is an AppleScript that will do just that. It is written and tested on OSX Lion with iLife 11. So you may have to play with it for your version if that is not what you are running.  Keep in mind it is a toggle script.  It will reverse the settings of iPhoto, iTunes sharing and the firewall. So it is assumed you share both with the firewall off when at home.

Also you need to ensure Enable access for assistive devices is checked under Universal Access in System Preference.

Just cut and paste the below script into the AppleScript editor.  Then save either as an application on your desktop you can double click. Or save as an AppleScript where an application like LaunchBar can use it as an action. ~/Library/Application Support/LaunchBar/Actions


September 10, 2011: 4:03 pm: Automation

I have been playing around making a Jarvis like home notifaction script.  One piece of that for fun is to read me the current Brandon Sanderson book project status report.  I made the below applescript to parse the information off his Web site and read it aloud to me. After all men don’t read (a Stormlight Archive reference so go get the book). I am a huge fan of his Mistborn and Stormlight Archive series.  Oh yeah… He is also finishing the Wheel of Time too. ;-)

Warning that the below script could break at any time.  It has to parse out bits of html code.  Who knows how much that changes each time updates his status.  I won’t know till the next update.  You can see those bits in the AppleScript’s text item delimeters lines in the script.


on run {}



set theSource to (do shell script “curl ” & quoted form of (“http://www.brandonsanderson.com/”))

set AppleScript‘s text item delimiters to {“<h3>Current Projects</h3>”}

set theText to text item 2 of theSource

set AppleScript‘s text item delimiters to {“<h3>Search</h3>”}

set theText to text item 1 of theText

set AppleScript‘s text item delimiters to {“<div style=\”float:left;  width:100%;\”>”}

set tempProject1 to text item 2 of theText

set tempProject2 to text item 3 of theText

set tempProject3 to text item 4 of theText

set AppleScript‘s text item delimiters to {“<br/> <div style=\”width:33.99px; overflow:hidden; float:left; \”><img src=\”/templates/slate/images/bookmeter1.png\” /></div><div style=\”float:left; padding-left:5px;\”> “}

set projectProgress1 to text item 1 of tempProject1 & text item 2 of tempProject1


set AppleScript‘s text item delimiters to {” <br/> <div style=\”width:103px; overflow:hidden; float:left; \”><img src=\”/templates/slate/images/bookmeter2.png\” /></div><div style=\”float:left; padding-left:5px;\”> “}

set projectProgress2 to text item 1 of tempProject2 & text item 2 of tempProject2


set AppleScript‘s text item delimiters to {” <br/> <div style=\”width:57.68px; overflow:hidden; float:left; \”><img src=\”/templates/slate/images/bookmeter3.png\” /></div><div style=\”float:left; padding-left:5px;\”> “}

set projectProgress3 to text item 1 of tempProject3 & text item 2 of tempProject3


set AppleScript‘s text item delimiters to {“</div>”}

set projectProgress1 to text item 1 of projectProgress1

set projectProgress2 to text item 1 of projectProgress2

set projectProgress3 to text item 1 of projectProgress3


set AppleScript‘s text item delimiters to {“”}


say “Brandon Sanderson Project Status Report”





on error

say “Unable to obtain Brandon Sanderson project status information.”



end try


end run


Posted via email from georgestarcher.randomlings

August 23, 2011: 12:54 pm: Admin Tricks, Windows Security

I don’t think I ever posted this before.  If you need a login script to map drives and network printers based on Windows domain group membership for users try the below.  Put it in a vbs file like login.vbs.  Edit “domainname” to be your Windows domain name, and edit the permission group names appropriately.  It also has example of removing existing drive mounts before trying to mount by group.


July 31, 2011: 10:22 am: Forensics, Password Security

I was curious if I could script a dictionary attack against one of the OSX Lion File Vault v2 encrypted external drives. If you haven’t done it. You need to be on Lion. Grab a spare USB storage stick. Make sure to backup any data from the device first. Encrypting the device by the book will erase and destroy the existing contents.

  1. Go into “Disk Utility”
  2. Plug in the desired USB storage stick
  3. Click on the device in the list
  4. Click on the Erase tab
  5. Pull down the Format box and choose one of the Encrypted options like: Mac OS Extended (Journaled, Encrypted)
  6. Click Erase
  7. When prompted provide a desired password.

Now that you have setup an encrypted device you can use that to test this process.

  1. First eject the usb device
  2. Unplug it
  3. Plug it back in
  4. Click cancel and do not enter the passphrase

Now onto the rest of the process.


February 12, 2011: 12:15 pm: General, Programming

Recently we were sent a password protected zip file at work. If you have ever tried to double click open a protected zip file you know that you will get an error not a password prompt.

If we ignore third party applications to open these files we are left with running the unzip command from terminal. You can use the option “-P password” where you replace the word password with actual password used to protect the file. An example command might look like:

unzip -P strong password ~/Desktop/secretzip.zip

This may have been good enough for me. But we have less technically inclined folks in our group who needed access to the provided files. So I made an Automator that everyone in the group could reuse for even future files. The Automator needed several features.

  1. Provide a GUI browser selection box to choose the protected zip file.
  2. Prompt for the password needed to unzip the file.
  3. Send the content to the user’s desktop regardless of whom ran it.

Here is how we build the Automator. The key components are the use of variables within Automator and a shell script object that takes the file and password as arguments that were provided by the user.