topic Re: index in Splunk Enterprise

index

Muthu_Vinith — Fri, 22 Dec 2023 09:36:53 GMT

Hello Experts,

I'm facing challenge where I need to automatically load data from Python script results into a metric index in Splunk. Is it possible? I'd appreciate any guidance or examples how to achieve this?

Thanks

Re: index

richgalloway — Fri, 22 Dec 2023 14:29:04 GMT

Data sent to a metrics index must be in a particular format. See https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Metrics/GetMetricsInOther for the specifics.

You should be able to set up the script as a scripted input that writes CSV data to stdout. Splunk will index anything sent to stdout.

Re: index

Muthu_Vinith — Tue, 26 Dec 2023 08:06:41 GMT

I tried to upload a .py file for Data Inputs - Scripts in Splunk for searching, but i can't get results. My sourcetype is CSV. How can I fix this? @richgalloway

Re: index

richgalloway — Tue, 26 Dec 2023 15:25:19 GMT

Give us more information to work with. How did you try to upload the .py file? To which instance did you upload it? Where on that instance did you try to put it? What error did you get?

Scripts can be installed in $SPLUNK_HOME/etc/bin or $SPLUNK_HOME/etc/<app>/bin on any instance, but not in a cluster. Use a heavy forwarder for the script if you have both search head and indexer clusters. Once the script file is installed in the right place you can use the GUI to define an input to use that script.

Re: index

Muthu_Vinith — Tue, 26 Dec 2023 17:02:00 GMT

I've tried both methods for installing scripts. However, I'm getting an error No Results found. But when I run the python file, I can get results and it download as excel file. @richgalloway

Re: index

richgalloway — Tue, 26 Dec 2023 17:49:06 GMT

The "No results found" message is from a search so it would seem you were successful in uploading your script ("tried" implies failure). Failure to data in a search does not mean the data did not get ingested. So, let's unpack this problem.

First, confirm the script works in the Splunk environment by using this command

splunk cmd python <<your .py file>>

Once that works, verify the scripted input is configured properly and is not disabled. Make a note of the index and sourcetype specified in the input. Confirm the index exists on the indexers and that the sourcetype is defined in a props.conf file, also on the indexers. The props.conf settings must ensure timestamps are correctly extracted from the data provided by the script. Without a good timestamp, the data may be indexed, but be undiscoverable.

Wait for the script to run. Then, using the noted index and sourcetype, search for the data.

index=foo sourcetype=bar earliest=-24h

Please let us know which part of these steps fails.