https://community.splunk.com/t5/Splunk-Dev/Can-I-parse-my-log-with-a-python-script-before-indexing/m-p/345549#M5394 <P>Hi! <BR /> I'm reading the scripted input documentation but I don't understand if they can help me in what I'd like to do.<BR /> I would like to be able to save some types of different logs in the same format.<BR /> Is it possible to use a python script to receive logs and parser them?<BR /> The logs are complex and to get a unique dashboard I first have to extract all the fields for each format and use custom search command (that I created already with intersplunk to created new fields).<BR /> I would prefer to do an initial parsing in order to extract the same fields from all sources and created new fields (and saved that).</P> <P><EM>Example:</EM> (it's just a simplified example of my situation)<BR /> <STRONG>format1</STRONG>: ###EXPECTED### {"field1":"value1} ###ACTUAL### {"field1":"value2","field2":"value1"}<BR /> <STRONG>format2</STRONG>: timestamp \n exp_field: {"field1":"value1}\n act_field {"field1":"value2","field2":"value1"}</P> <P>In my dashboard I would like a count of different fields between jsons.<BR /> Now I need to extract the fileds with two different regExp and then use a custom command that extracts the different fields between the two jsons.<BR /> I would like to do everything before indexing. It's possible?</P> <P>Thanks,<BR /> Deb</P> Tue, 29 Sep 2020 17:17:24 GMT drebai 2020-09-29T17:17:24Z https://community.splunk.com/t5/Splunk-Dev/Can-I-parse-my-log-with-a-python-script-before-indexing/m-p/345549#M5394 <P>Hi! <BR /> I'm reading the scripted input documentation but I don't understand if they can help me in what I'd like to do.<BR /> I would like to be able to save some types of different logs in the same format.<BR /> Is it possible to use a python script to receive logs and parser them?<BR /> The logs are complex and to get a unique dashboard I first have to extract all the fields for each format and use custom search command (that I created already with intersplunk to created new fields).<BR /> I would prefer to do an initial parsing in order to extract the same fields from all sources and created new fields (and saved that).</P> <P><EM>Example:</EM> (it's just a simplified example of my situation)<BR /> <STRONG>format1</STRONG>: ###EXPECTED### {"field1":"value1} ###ACTUAL### {"field1":"value2","field2":"value1"}<BR /> <STRONG>format2</STRONG>: timestamp \n exp_field: {"field1":"value1}\n act_field {"field1":"value2","field2":"value1"}</P> <P>In my dashboard I would like a count of different fields between jsons.<BR /> Now I need to extract the fileds with two different regExp and then use a custom command that extracts the different fields between the two jsons.<BR /> I would like to do everything before indexing. It's possible?</P> <P>Thanks,<BR /> Deb</P> Tue, 29 Sep 2020 17:17:24 GMT https://community.splunk.com/t5/Splunk-Dev/Can-I-parse-my-log-with-a-python-script-before-indexing/m-p/345549#M5394 drebai 2020-09-29T17:17:24Z https://community.splunk.com/t5/Splunk-Dev/Can-I-parse-my-log-with-a-python-script-before-indexing/m-p/345550#M5395 <P>Yes, it's possible. I've written a number of Python scripts that read events from a source and transform them before handing them to Splunk for indexing. In a scripted input, your script does the work of reading the source data - there is nothing to "receive". The script opens the file or makes a REST request or does something else to get its input then it does the transformation and writes the results to stdout. Whatever goes to stdout is what Splunk will index.</P> Thu, 14 Dec 2017 14:31:54 GMT https://community.splunk.com/t5/Splunk-Dev/Can-I-parse-my-log-with-a-python-script-before-indexing/m-p/345550#M5395 richgalloway 2017-12-14T14:31:54Z https://community.splunk.com/t5/Splunk-Dev/Can-I-parse-my-log-with-a-python-script-before-indexing/m-p/345551#M5396 <P>Thank you!<BR /> Are there any guides or examples?<BR /> I only find things concerning the exclusion of fields directly from the input.conf</P> Thu, 14 Dec 2017 14:45:20 GMT https://community.splunk.com/t5/Splunk-Dev/Can-I-parse-my-log-with-a-python-script-before-indexing/m-p/345551#M5396 drebai 2017-12-14T14:45:20Z https://community.splunk.com/t5/Splunk-Dev/Can-I-parse-my-log-with-a-python-script-before-indexing/m-p/345552#M5397 <P>Here is an example:<BR /> <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/AdvancedDev/ScriptExample">https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/AdvancedDev/ScriptExample</A><BR /> As @richgalloway said, whatever goes to stdout (via "print") is what Splunk will index. So add a few lines in your Python script to format the output as needed.</P> Thu, 14 Dec 2017 14:54:26 GMT https://community.splunk.com/t5/Splunk-Dev/Can-I-parse-my-log-with-a-python-script-before-indexing/m-p/345552#M5397 Yunagi 2017-12-14T14:54:26Z