I am trying to receive data in splunk using TCP Data input from switch at port 20010. The data is in raw format(send via grpc using protocol buffers). Splunk is receiving the data and adding to event but it is like encrypted format in which it is being transferred.
Is it possible to run any python or any other code to get this data while it is being received and convert to json/anyother format then send to the splunk index.
I didn't find any place to include any script file which modifies the TCP received input before sending to index.
Is there any way to do that?
Alternative I have done is a seperate python script to receive the data from switch and parse it and send to splunk and placed the python script inside an AddOn. But I want to use the direct method that splunk receives from switch directly via TCP and parse it via some script.
I have used the same link to create the TCP input but my issue was to parse the output.
I had done it in python and created a AddOn by converting the raw input into dictionary and then parsing and taking out the required fields and forming specific json and send to Splunk via sdk.
I checked the prof.conf and transform.conf from the links where only option is writing regex to parse the inputs.
Here is How the input comes from switch:
Here i need to go through a loop and take out the values like below: from the output from above code:
we need to make like "scsi_target_count":"3" . like key value pair and form json as shown below to send to splunk. This i have done in python for the AddOn. I thought to call python script from the TCP input and get the json formated output and then send to indexer.
similarly more ports are there so multiple json objects with the common part for all is
"node_id_str": "switch1","msg_timestamp": "1515492081100" and the varying part is "port": "xx/x","scsi_target_count":"count" .
Is there any way in regex in transform.conf to get similar output?