Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to put results of custom search command into index

skharenk
New Member
‎10-31-2019 09:59 AM

Hello all,
I have add-on with written a custom search command. This command call my python package.
my_searchcommand.py:

from lazy import Lazy
from splunklib.searchcommands import (
    dispatch,
    validators,
    StreamingCommand,
    Configuration,
    Option,
)
from my_package import MyFunc


@Configuration()
class MyCommand(StreamingCommand):
    def __init__(self):
        super(MyCommand, self).__init__()

    def prepare(self):
        settings = Settings(self.service.confs,
                            self.service.storage_passwords)

        self._action = Lazy(
            self.action,
            tr=Lazy(self.connect, settings),
        )

    def stream(self, records):
        index = self.service.indexes['my_index']  # get index
        # how to put a 'records' into 'my_index'?
        for record in records:
            yield record

    @property
    def action(self):
        ... # use my_package

    def connect(self, settings):
        ...
  1. How can I push the results of a custom search command into 'my_index', and how I can associate an index with a sourcetype?

Thank you!

0 Karma
Reply

arjunpkishore5
Motivator
‎10-31-2019 06:01 PM

you can index the results of your search using the collect command. Just add the collect statement at the end

<your search including your custom command>
| collect index=your_index sourcetype=your_sourcetype

Here's the documentation to the collect command - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/collect

Hope this helps.

Regards
Arjun

0 Karma
Reply

skharenk
New Member
‎11-01-2019 01:19 PM

Arjun thank you for an answer. I heard about 'collect', but i need push my raw JSON into index in 'my_searchcommand.py'.

0 Karma
Reply

arjunpkishore5
Motivator
‎11-01-2019 02:04 PM

Any Specific reason for not using collect ?

If you must send data directly from the script, you can use Splunk's HEC(HTTP Event Collector). With this, you would be sending data to your index through a HTTP POST request. HEC works well with JSON data

https://dev.splunk.com/view/event-collector/SP-CAAAE6M
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/UsetheHTTPEventCollector
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Senddata

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...