Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

discard few fields and ingest required data using scripted input

ips_mandar
Builder
‎06-14-2019 03:41 AM

I want to discard few fields from monitoring input so not increase license usage
What will be best way to do it
It can be possible with SEDCMD but I am trying to know using scripted input
I am newbie in script writing ..can anyone guide me to write python script to take only required data in splunk.
What are the stepsto follow?
Thanks in advance. I am using Splunk 7.3 on Windows server.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-14-2019 09:51 AM

If you are using a scripted input, then you can either edit the script to modify what it outputs, or, if you already have a SEDCMD that works, you can just add | sed "Your SEDCMD here" to the end of the command line.

Reply

ips_mandar
Builder
‎06-17-2019 02:13 AM

Thanks @woodcock
For example I have below props.conf 

SEDCMD-aremoveheader = s/^\<\?xml[^\>]*\>\n*//g

Then What I need to write in script to run above in script(will it by .py?).
Note: the above props.conf is in Indexer and if I run only |sed ""using script it will not fetch the data from remote server. Since I want to fetch data from remote server.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-17-2019 06:40 AM

You have something like this in your inputs.conf:

 [script:///path/to/your_script.sh]

Change it to this:

[script:///path/to/your_script.sh | sed "s/^\<\?xml[^\>]*\>\n*//g"]
0 Karma
Reply

woodcock
Esteemed Legend
‎06-17-2019 09:48 AM

You might need to specify the full path to the sed binary.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2019 05:20 AM

Splunk will index whatever a scripted input writes to stdout. Your script can read any data at all, but the key is write only the fields you want in Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply

ips_mandar
Builder
‎06-14-2019 06:47 AM

Thanks @richgalloway Can you please help me with sample script like python . for example I have csv file in which I want only field 2 ,field 3 ,field 5 to be extracted... Since I never written any script can you please help to provide sample script which will work like mentioned above.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2019 07:28 AM

Google can provide lots of examples. Here's one I crafted from the first result.

import csv

with open('my_csv.txt', mode='r') as csv_file:
    csv_reader = csv.DictReader(csv_file)
    for row in csv_reader:
        print(f'{row[2]},{row[3]},{row[5]}')
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ips_mandar
Builder
‎06-17-2019 02:14 AM

Thanks @richgalloway I will give this try and will keep posted.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top