A simple command line interface to search splunk and display results in STDOUT CSV format. It is written in Node js.
Requirments file present in here
Please follow the below steps for setting up the CLI
- Clone this repo into local machine
cd splunk-search-cli
npm i
npm start
Once the command line interface opens you will see the following screen
Once the application is started with the above instructions help
command will display all the available commands and its functionalities
splunk-search-cli$ help
Commands:
help [command...] Provides help for a given command.
exit Exits application.
clear clears the screen
search [options] Queries splunk prints the results. Saves results to ./results-csv/ dir
searchasync [options] Asynchronously. queries splunk prints the results. Does NOT save results in file
splunk-search-cli$
clear
command clears the screen
splunk-search-cli$ help clear
Usage: clear [options]
clears the screen
Options:
--help output usage information
splunk-search-cli$
search
command does a one shot search on the splunk server and prints the output at STDOUT in CSV format.- It fetches first 100 results
- It saves the results in the saves results to
./results-csv/
directory. - It saves the logs under
./debug-logs/
directory. Default log level isinfo
. - This command can be executed in debug mode using the argument
-d
or--debug
upon which this the log level will be set to debug - As this command fetches first 100 results, it is not recommended for larger search results.
Please find the options and their descriptions below
splunk-search-cli$ help search
Usage: search [options]
Queries splunk prints the results. Saves results to ./results-csv/ dir
Options:
--help output usage information
-d, --debug Debug boolean. Sets log level to debug. Log files @ ./debug-logs/ dir
-u, --username <username> Splunk username.
-p, --password <password> Splunk password.
-h, --host <host> Splunk REST API URL.
--port <port> Splunk REST API port.
--query Splunk search query
splunk-search-cli$
searchasync
command does asynchronously search on the splunk server and prints the output at STDOUT in CSV format.- It fetches all results
- It does NOT save the results in the saves results to
./results-csv/
directory. - It saves the logs under
./debug-logs/
directory. Default log level isinfo
. - This command can be executed in debug mode using the argument
-d
or--debug
upon which this the log level will be set to debug - As this command fetches all the results, it is recommended for larger search results.
Please find the options and their descriptions below
splunk-search-cli$ help searchasync
Usage: searchasync [options]
Asynchronously queries splunk prints the results. Does NOT save results in file
Options:
--help output usage information
-d, --debug Debug boolean. Sets log level to debug. Log files @ ./debug-logs/ dir
-u, --username <username> Splunk username.
-p, --password <password> Splunk password.
-h, --host <host> Splunk REST API URL.
--port <port> Splunk REST API port.
--query Splunk search query
splunk-search-cli$
Below is the command that returns the list of web pages that have been indexed by Google (“Googlebot”).
search -u admin --password P@ssw0rd -h localhost --port 8089 --query "sourcetype=access_* useragent=*google* AND useragent=*Bot* | dedup file | table uri_path file | rename file as File | rename uri_path AS Webpages" -d
Below command generates a list of usernames that were used in failed SSH login attempts from 27.0.0.0/8
search -u admin -p P@ssw0rd -h localhost --port 8089 --query "ssh* error OR *fail* OR severe |rex field=_raw "(?<val_ignore_1>.*)\ for (?<raw_user>.*)\ from (?<IP>.*)\ port (?<val_ignore_2>.*)" | rex field=IP "27\.0\.0\.(?<range>\d{1,3})" | where range >=0 AND range<=8 | eval User=replace(raw_user, "invalid user ", "") | table User IP" -d
Below command generates a table consisting of [Timestamp, Client IP, URL] where the HTTP Server’s response was a 50X error code.
search -u admin -p P@ssw0rd -h localhost --port 8089 --query "sourcetype=access* status=50*| table req_time clientip uri_domain uri | rename req_time as Timestamp, uri AS URI, uri_domain AS Domain, clientip AS "Client IP"" -d
Note : This command compraises of arguments pertaining to the splunk instance setup in my localmachine which has REST API opened at 8089.
- Uses nodejs + winston for logging
- Log files are stored under
./debug-logs
directory. - Default log level is
info
and-d
flag make the log level todebug
- Files have time stamps in log entires and timestamp as thier filename
- All command line arguments will be logged and password argument is logged as
*********
for security reasons
Unit tests are written in MochaJS. Below are the results for the test run. Unit tests can be run using npm test
command
- nodejs : v7.10.0 (or newer)
- npm : 5.6.0 (or newer)