querysplunk/main.go at main · georgestarcher/querysplunk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
package main

import (
	"flag"
	"fmt"
	"log"
	"os"
	"splunk"
	"strconv"
	"sync"
	"time"

	// import for the .env file support
	"github.com/joho/godotenv"
)

// setup more standard logging format
type logWriter struct {
}

func (writer logWriter) Write(bytes []byte) (int, error) {
	hostname, err := os.Hostname()
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
	return fmt.Print(time.Now().UTC().Format("2006-01-02T15:04:05.999Z") + " " + hostname + " splunkquery [DEBUG] " + string(bytes))
}

func main() {

	var queryfile string
	var outputfile string
	var envfile string

	// get optional flag arguments
	log.SetFlags(0)
	log.SetOutput(new(logWriter))

	flag.StringVar(&envfile, "e", "false", "Use .env file")
	flag.StringVar(&queryfile, "q", "query.txt", "Enter the filename of the Query.")
	flag.StringVar(&outputfile, "o", "splunkresults.json", "Enter the filename to save results.")
	flag.Parse()

	// use .env file if option chosen
	useEnvFile, _ := strconv.ParseBool(envfile)
	if useEnvFile {

		err := godotenv.Load()
		if err != nil {
			log.Fatal("Error loading .env file")
		}

	}

	// read in SPL query to be executed. One query per file
	fileContent, err := os.ReadFile(queryfile)
	if err != nil {
		log.Fatal(err)
	}
	splunkQueryString := string(fileContent)

	// setup goroutine waitgroup for thread completion
	var wg sync.WaitGroup

	// read environment variables
	username := os.Getenv("SPLUNKUSERNAME")
	password := os.Getenv("SPLUNKPASSWORD")
	baseurl := os.Getenv("SPLUNKBASEURL")
	splunktoken := os.Getenv("SPLUNKTOKEN")

	// use credentials if auth token not used
	if username == "" && splunktoken == "" {
		log.Fatalf("ERROR: Missing Username")
	}
	if password == "" && splunktoken == "" {
		log.Fatalf("ERROR: Missing Password")
	}
	if baseurl == "" {
		log.Fatalf("ERROR: Missing BaseURL")
	}

	tlsVerify, err := strconv.ParseBool(os.Getenv("SPLUNKTLSVERIFY"))
	if err != nil {
		tlsVerify = false
	}

	// set max timeout to wait for a query to finish. default to 120 seconds
	timeout, err := strconv.Atoi(os.Getenv("SPLUNKTIMEOUT"))
	if err != nil {
		timeout = 120
	}

	// setup splunk connection structure
	conn := splunk.SplunkConnection{
		Username:  username,
		Password:  password,
		Authtoken: splunktoken,
		BaseURL:   baseurl,
		TLSverify: tlsVerify,
		Timeout:   timeout,
	}

	// attempt to login using credentials and obtain a session key
	err = conn.Login()
	if err != nil {
		log.Fatalf("ERROR: Couldn't login to splunk: %s", err)
	}

	//setup the query structure and dispatch the job
	splunkQuery := splunk.SplunkQuery{Query: splunkQueryString}

	wg.Add(1)
	go func() {
		defer wg.Done()
		err = conn.DispatchQuery(&splunkQuery, outputfile)
	}()

	wg.Wait()

	if err != nil {
		log.Fatalf("ERROR: %s", err)
	} else {
		log.Print("SUCCESS: Query Completed")
	}

}