Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

discard few fields and ingest required data using scripted input

ips_mandar
Builder
‎06-14-2019 03:41 AM

I want to discard few fields from monitoring input so not increase license usage
What will be best way to do it
It can be possible with SEDCMD but I am trying to know using scripted input
I am newbie in script writing ..can anyone guide me to write python script to take only required data in splunk.
What are the stepsto follow?
Thanks in advance. I am using Splunk 7.3 on Windows server.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-14-2019 09:51 AM

If you are using a scripted input, then you can either edit the script to modify what it outputs, or, if you already have a SEDCMD that works, you can just add | sed "Your SEDCMD here" to the end of the command line.

Reply

ips_mandar
Builder
‎06-17-2019 02:13 AM

Thanks @woodcock
For example I have below props.conf 

SEDCMD-aremoveheader = s/^\<\?xml[^\>]*\>\n*//g

Then What I need to write in script to run above in script(will it by .py?).
Note: the above props.conf is in Indexer and if I run only |sed ""using script it will not fetch the data from remote server. Since I want to fetch data from remote server.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-17-2019 06:40 AM

You have something like this in your inputs.conf:

 [script:///path/to/your_script.sh]

Change it to this:

[script:///path/to/your_script.sh | sed "s/^\<\?xml[^\>]*\>\n*//g"]
0 Karma
Reply

woodcock
Esteemed Legend
‎06-17-2019 09:48 AM

You might need to specify the full path to the sed binary.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2019 05:20 AM

Splunk will index whatever a scripted input writes to stdout. Your script can read any data at all, but the key is write only the fields you want in Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply

ips_mandar
Builder
‎06-14-2019 06:47 AM

Thanks @richgalloway Can you please help me with sample script like python . for example I have csv file in which I want only field 2 ,field 3 ,field 5 to be extracted... Since I never written any script can you please help to provide sample script which will work like mentioned above.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2019 07:28 AM

Google can provide lots of examples. Here's one I crafted from the first result.

import csv

with open('my_csv.txt', mode='r') as csv_file:
    csv_reader = csv.DictReader(csv_file)
    for row in csv_reader:
        print(f'{row[2]},{row[3]},{row[5]}')
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ips_mandar
Builder
‎06-17-2019 02:14 AM

Thanks @richgalloway I will give this try and will keep posted.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...