Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Scripted or Modular Input or Neither?

mweissha
Path Finder
‎08-02-2017 09:23 AM

I need some help with what I am trying to accomplish. I have many forwarders running and successfully sending log files to the indexers. The problem is that I want to add a script in the middle on the indexing side to parse the data in a more meaningful manner and strip away all the repetitive XML cruft.

So what I am asking is how to accomplish this. I have a nodejs script that parses the input statically, not streaming, and it's configured now to send to HEC on my local dev environment. I read about scripted and modular inputs and this seems like it would be a better way to go potentially but I'm confused still as to what I need to write to accept the forwarded data and parse it. Is ther documentation somewhere about the type of data sent via forwarders? Should it be Cooked vs Uncooked data? Does the script also have to parse the splunk _internal log files or can I direct specific sources via inputs.conf on the forwarder side? Does anyone have experience with running such a script on their indexers that will do this?

Reply

FritzWittwer_ol
Contributor
‎08-03-2017 07:23 AM

It gets tricky as soon as your changes are to complex to be done in an index time transform either on an indexer or an intermediate heavy forwarder. If you know your source systems well and receive the events from an input which reads a log file, you could probably change the input to a scripted input where a script reads the log file and only passes the desired parts to Splunk.

Mika Borner has written a blog about using Apache NiFi to preprocess data, this gives you a lot of flexibility although it has also its complexity.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2017 06:15 AM

There's no way I know of for a script to intercept the communication between a forwarder and an indexer.

Your nodejs script seems like a good approach. An alternative to using HEC is to write the results to a monitored directory and let a forwarder send it to an indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...