https://community.splunk.com/t5/Getting-Data-In/Using-TCP-data-input-to-receive-from-switch-sending-data-in-raw/m-p/425392#M94462 <P>Hi,<BR /> I am trying to receive data in splunk using TCP Data input from switch at port 20010. The data is in raw format(send via grpc using protocol buffers). Splunk is receiving the data and adding to event but it is like encrypted format in which it is being transferred.<BR /> Sample below:</P> <BLOCKQUOTE> <P>Blockquote</P> </BLOCKQUOTE> <P>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0\x00\x00\xFF\xFF\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00%\x00\x00\x00:methodPOST@:path&amp;/mdt_dialout.gRPCMdtDialout/MdtDialout@<BR /> :authority:57010@<BR /> grpc-encodingidentity@grpc-accept-encodingidentity,deflate,@content-typeapplication/grpc@<BR /> user-agent+grpc-c++/1.0.0 grpc-c/1.0.0 (linux; )@grpc-timeout30S\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFB<BR /> wIObw*9728z&#16;rtIOb*3170304z&#16;wtIOb*&#7;3170304zrtIOint*&#8;13785891zwtIOint*&#6;562518*</P> <BLOCKQUOTE> <P>Blockquote</P> </BLOCKQUOTE> <P>Is it possible to run any python or any other code to get this data while it is being received and convert to json/anyother format then send to the splunk index.</P> <P>I didn't find any place to include any script file which modifies the TCP received input before sending to index.<BR /> Is there any way to do that?</P> <P>Alternative I have done is a seperate python script to receive the data from switch and parse it and send to splunk and placed the python script inside an AddOn. But I want to use the direct method that splunk receives from switch directly via TCP and parse it via some script.</P> Tue, 29 Sep 2020 20:18:55 GMT sawgata12345 2020-09-29T20:18:55Z https://community.splunk.com/t5/Getting-Data-In/Using-TCP-data-input-to-receive-from-switch-sending-data-in-raw/m-p/425392#M94462 <P>Hi,<BR /> I am trying to receive data in splunk using TCP Data input from switch at port 20010. The data is in raw format(send via grpc using protocol buffers). Splunk is receiving the data and adding to event but it is like encrypted format in which it is being transferred.<BR /> Sample below:</P> <BLOCKQUOTE> <P>Blockquote</P> </BLOCKQUOTE> <P>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0\x00\x00\xFF\xFF\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00%\x00\x00\x00:methodPOST@:path&amp;/mdt_dialout.gRPCMdtDialout/MdtDialout@<BR /> :authority:57010@<BR /> grpc-encodingidentity@grpc-accept-encodingidentity,deflate,@content-typeapplication/grpc@<BR /> user-agent+grpc-c++/1.0.0 grpc-c/1.0.0 (linux; )@grpc-timeout30S\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFB<BR /> wIObw*9728z&#16;rtIOb*3170304z&#16;wtIOb*&#7;3170304zrtIOint*&#8;13785891zwtIOint*&#6;562518*</P> <BLOCKQUOTE> <P>Blockquote</P> </BLOCKQUOTE> <P>Is it possible to run any python or any other code to get this data while it is being received and convert to json/anyother format then send to the splunk index.</P> <P>I didn't find any place to include any script file which modifies the TCP received input before sending to index.<BR /> Is there any way to do that?</P> <P>Alternative I have done is a seperate python script to receive the data from switch and parse it and send to splunk and placed the python script inside an AddOn. But I want to use the direct method that splunk receives from switch directly via TCP and parse it via some script.</P> Tue, 29 Sep 2020 20:18:55 GMT https://community.splunk.com/t5/Getting-Data-In/Using-TCP-data-input-to-receive-from-switch-sending-data-in-raw/m-p/425392#M94462 sawgata12345 2020-09-29T20:18:55Z https://community.splunk.com/t5/Getting-Data-In/Using-TCP-data-input-to-receive-from-switch-sending-data-in-raw/m-p/425393#M94463 <P>Hi ,</P> <P>You could use <A href="https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Monitornetworkports">https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Monitornetworkports</A> and then use props and transforms to modify data before indexing</P> Tue, 03 Jul 2018 11:50:03 GMT https://community.splunk.com/t5/Getting-Data-In/Using-TCP-data-input-to-receive-from-switch-sending-data-in-raw/m-p/425393#M94463 renjith_nair 2018-07-03T11:50:03Z https://community.splunk.com/t5/Getting-Data-In/Using-TCP-data-input-to-receive-from-switch-sending-data-in-raw/m-p/425394#M94464 <P>Hi Renjith,<BR /> I have used the same link to create the TCP input but my issue was to parse the output.<BR /> I had done it in python and created a AddOn by converting the raw input into dictionary and then parsing and taking out the required fields and forming specific json and send to Splunk via sdk.<BR /> I checked the prof.conf and transform.conf from the links where only option is writing regex to parse the inputs.<BR /> Here is How the input comes from switch:</P> <BLOCKQUOTE> <P>Blockquote<BR /> node_id_str: "switch1"<BR /> encoding_path: "query:10050"<BR /> collection_id: 1100<BR /> msg_timestamp: 1515492081100<BR /> data_gpbkv {<BR /> fields {<BR /> name: "keys"<BR /> fields {<BR /> name: "query:10050"<BR /> string_value: "query:10050"<BR /> }<BR /> }<BR /> fields {<BR /> name: "content"<BR /> fields {<BR /> fields {<BR /> name: "values"<BR /> fields {<BR /> fields {<BR /> name: "1"<BR /> fields {<BR /> fields {<BR /> name: "port"<BR /> string_value: "fc2/4"<BR /> }<BR /> fields {<BR /> name: "scsi_target_count"<BR /> string_value: "0"<BR /> }<BR /> }<BR /> }<BR /> fields {<BR /> name: "2"<BR /> fields {<BR /> fields {<BR /> name: "port"<BR /> string_value: "fc2/3"<BR /> }<BR /> fields {<BR /> name: "scsi_target_count"<BR /> string_value: "1"<BR /> }<BR /> }<BR /> }<BR /> fields {<BR /> name: '3"<BR /> fields {<BR /> fields {<BR /> name: "port"<BR /> string_value: "fc16/3"<BR /> }<BR /> fields {<BR /> name: "scsi_target_count"<BR /> string_value: "3"<BR /> }<BR /> }<BR /> }<BR /> //similarly there are details for "name":"4", "name":"5" ... so on till "name":"40"<BR /> }<BR /> }<BR /> }<BR /> }<BR /> }<BR /> Blockquote</P> </BLOCKQUOTE> <P>Here i need to go through a loop and take out the values like below:<BR /> <EM>from the output from above code: <BR /> name: "scsi_target_count"<BR /> string_value: "3"<BR /> we need to make like "scsi_target_count":"3"</EM> . like key value pair and form json as shown below to send to splunk. This i have done in python for the AddOn. I thought to call python script from the TCP input and get the json formated output and then send to indexer.</P> <P><STRONG>{"name":"1","node_id_str": "switch1","msg_timestamp": "1515492081100","port": "fc2/4","scsi_target_count":"0"}<BR /> {name: "2","node_id_str": "switch1","msg_timestamp": "1515492081100","port": "fc2/3","scsi_target_count":"1"}</STRONG></P> <P>similarly more ports are there so multiple json objects with the common part for all is<BR /> "node_id_str": "switch1","msg_timestamp": "1515492081100" and the varying part is "port": "xx/x","scsi_target_count":"count" .</P> <P>Is there any way in regex in transform.conf to get similar output?</P> Tue, 29 Sep 2020 20:19:59 GMT https://community.splunk.com/t5/Getting-Data-In/Using-TCP-data-input-to-receive-from-switch-sending-data-in-raw/m-p/425394#M94464 sawgata12345 2020-09-29T20:19:59Z https://community.splunk.com/t5/Getting-Data-In/Using-TCP-data-input-to-receive-from-switch-sending-data-in-raw/m-p/425395#M94465 <P>If you have a lot of data processing, have a look at this blog also : <A href="https://www.splunk.com/blog/2014/11/11/protocol-data-inputs.html">https://www.splunk.com/blog/2014/11/11/protocol-data-inputs.html</A></P> Thu, 05 Jul 2018 10:00:00 GMT https://community.splunk.com/t5/Getting-Data-In/Using-TCP-data-input-to-receive-from-switch-sending-data-in-raw/m-p/425395#M94465 renjith_nair 2018-07-05T10:00:00Z