Getting Data In

How to put results of custom search command into index

skharenk
New Member

Hello all,
I have add-on with written a custom search command. This command call my python package.
my_searchcommand.py:

from lazy import Lazy
from splunklib.searchcommands import (
    dispatch,
    validators,
    StreamingCommand,
    Configuration,
    Option,
)
from my_package import MyFunc


@Configuration()
class MyCommand(StreamingCommand):
    def __init__(self):
        super(MyCommand, self).__init__()

    def prepare(self):
        settings = Settings(self.service.confs,
                            self.service.storage_passwords)

        self._action = Lazy(
            self.action,
            tr=Lazy(self.connect, settings),
        )

    def stream(self, records):
        index = self.service.indexes['my_index']  # get index
        # how to put a 'records' into 'my_index'?
        for record in records:
            yield record

    @property
    def action(self):
        ... # use my_package

    def connect(self, settings):
        ...
  1. How can I push the results of a custom search command into 'my_index', and how I can associate an index with a sourcetype?

Thank you!

0 Karma

arjunpkishore5
Motivator

you can index the results of your search using the collect command. Just add the collect statement at the end

<your search including your custom command>
| collect index=your_index sourcetype=your_sourcetype

Here's the documentation to the collect command - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/collect

Hope this helps.

Regards
Arjun

0 Karma

skharenk
New Member

Arjun thank you for an answer. I heard about 'collect', but i need push my raw JSON into index in 'my_searchcommand.py'.

0 Karma

arjunpkishore5
Motivator

Any Specific reason for not using collect ?

If you must send data directly from the script, you can use Splunk's HEC(HTTP Event Collector). With this, you would be sending data to your index through a HTTP POST request. HEC works well with JSON data

https://dev.splunk.com/view/event-collector/SP-CAAAE6M
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/UsetheHTTPEventCollector
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Senddata

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...