I have add-on with written a custom search command. This command call my python package.
from lazy import Lazy from splunklib.searchcommands import ( dispatch, validators, StreamingCommand, Configuration, Option, ) from my_package import MyFunc @Configuration() class MyCommand(StreamingCommand): def __init__(self): super(MyCommand, self).__init__() def prepare(self): settings = Settings(self.service.confs, self.service.storage_passwords) self._action = Lazy( self.action, tr=Lazy(self.connect, settings), ) def stream(self, records): index = self.service.indexes['my_index'] # get index # how to put a 'records' into 'my_index'? for record in records: yield record @property def action(self): ... # use my_package def connect(self, settings): ...
you can index the results of your search using the collect command. Just add the collect statement at the end
<your search including your custom command> | collect index=your_index sourcetype=your_sourcetype
Here's the documentation to the collect command - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/collect
Hope this helps.
Any Specific reason for not using collect ?
If you must send data directly from the script, you can use Splunk's HEC(HTTP Event Collector). With this, you would be sending data to your index through a HTTP POST request. HEC works well with JSON data