Getting Data In
Highlighted

How to put results of custom search command into index

New Member

Hello all,
I have add-on with written a custom search command. This command call my python package.
my_searchcommand.py:

from lazy import Lazy
from splunklib.searchcommands import (
    dispatch,
    validators,
    StreamingCommand,
    Configuration,
    Option,
)
from my_package import MyFunc


@Configuration()
class MyCommand(StreamingCommand):
    def __init__(self):
        super(MyCommand, self).__init__()

    def prepare(self):
        settings = Settings(self.service.confs,
                            self.service.storage_passwords)

        self._action = Lazy(
            self.action,
            tr=Lazy(self.connect, settings),
        )

    def stream(self, records):
        index = self.service.indexes['my_index']  # get index
        # how to put a 'records' into 'my_index'?
        for record in records:
            yield record

    @property
    def action(self):
        ... # use my_package

    def connect(self, settings):
        ...
  1. How can I push the results of a custom search command into 'my_index', and how I can associate an index with a sourcetype?

Thank you!

0 Karma
Highlighted

Re: How to put results of custom search command into index

Motivator

you can index the results of your search using the collect command. Just add the collect statement at the end

<your search including your custom command>
| collect index=your_index sourcetype=your_sourcetype

Here's the documentation to the collect command - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/collect

Hope this helps.

Regards
Arjun

0 Karma
Highlighted

Re: How to put results of custom search command into index

New Member

Arjun thank you for an answer. I heard about 'collect', but i need push my raw JSON into index in 'my_searchcommand.py'.

0 Karma
Highlighted

Re: How to put results of custom search command into index

Motivator

Any Specific reason for not using collect ?

If you must send data directly from the script, you can use Splunk's HEC(HTTP Event Collector). With this, you would be sending data to your index through a HTTP POST request. HEC works well with JSON data

https://dev.splunk.com/view/event-collector/SP-CAAAE6M
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/UsetheHTTPEventCollector
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Senddata

0 Karma