Getting Data In

Why are we unable to index data to Splunk enterprise using Splunk addon?

bhuvanabala
New Member

I am new to Splunk addon builder. I am using splunk addon builder to build an addon that feeds the REST API response as input to Splunk enterprise. For this i am using Python modular input method. Since REST API modular input one of the data collection input doesnt supports Oauth2.0 we are using python modular input to get the REST API response

Before i feed the response to splunk enterprise, tried feeding some sample data using the below syntax

   def collect_events(helper, ew):
    event=helper.new_event(data="123",index="new_index",sourcetype="new_sourcetyp e)   
     ew.write_event(event)
     pass

I am able to print the output in console, but when i search for index="new_index" in search bar, its returing 0 events

Please let me know what i am missing here

Tags (2)
0 Karma

DavidHourani
Super Champion

Hi @bhuvanabala,

You can use the following link for reference :
http://dev.splunk.com/view/python-sdk/SP-CAAAEE6

There's an entire section about creating indexes and sending data there.

Also use this :
https://www.function1.com/2015/09/splunk-sdk-for-python-getting-data-in
It's a bit old but can still be used for reference.

Cheers,
David

0 Karma

suryajagarapu
Explorer

I am also facing the same issue as the events are getting displayed in output console of AOB but it's showing zero events for the index.
Any thoughts please?

0 Karma

suryajagarapu
Explorer

Hi @bhuvanabala , Could you please let me know what did you do fix the issue as I got stuck into the same situation and events are showing as 0 for the index though it's is displaying the event in output console?

0 Karma

DavidHourani
Super Champion

where are you writing the events to ?

0 Karma

bhuvanabala
New Member

Hi David,

Thanks for responding back.

I am tring to index the data under "new_index"(index name) and searched for the event in Search and Reporting App

Should i specify the App in the new_event() function

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...