Splunk Dev

Log data into Splunk using Python SDK

manudbc
Explorer

Hello,

I was wondering if there is anyway to log data into Splunk using python SDK. I've found a way to send data to a specific port. In my case, I'm trying to log data into Splunk using a Python script calling it from Splunk search. Let me explain myself a little bit more:

I perform a query that look like this:

| script MyLogData parameter1 parameter2

That script make download a JSON file that I would like to log into Splunk. I have declared the script into commands.conf file so everything is fine. The file is executed successfully so there is no issue on that side.

The problem is that I haven't find a way to log data into splunk using Python SDK. The only solution I've found is log data using a "remote" connection (using user and password), but is not the way I would like to do it due to the script is running on the Splunk server. My question is, Is there anyway to log data directly into Splunk? Does the SDK have anyway to do it?

Thank you very much!

Kind regards 🙂

0 Karma

starcher
Influencer

If you are in python. You are way better off sending data via http event collector than directly through the API.

https://github.com/georgestarcher/Splunk-Class-httpevent

0 Karma

rodkinal
New Member

Hello!

Sorry for being late on my response. But, sending the event via HTTP means open an extra port? Is this method a buildin way to log events into splunk?

Thank you very much!

0 Karma

rodkinal
New Member

For some reason Splunk crashes after execute this script and I need to restart it.

import splunklib.client as client
import requests,sys

def requestJSON():
    params = {'key': '1Uasdfui4', 'resource': 'aIUijasduhaiiajsdklfj'}
    headers = {"Accept-Encoding": "gzip, deflate", "User-Agent" : "Firefox" }
    response = requests.get('https://www.getmyjson.com/', params=params, headers=headers)
    return response.text

def main(argv):
        service = client.connect(app="MyAPP", sharing="app", username="user", password="password")
        cn = service.indexes["main"].attach(source="MyApp://MyApp", sourcetype="MyAPP",host="MyAPP")
        cn.write(requestJSON())
        print "Job done!"
if __name__ == "__main__":
    main(sys.argv[1:])

Does anyone know how to do this? Is weird that splunk crashes after this :S

0 Karma

tiagofbmm
Influencer

Hey

There is a oneshot.py in the Python sdk, have you had a look at it?

Also how about retrieving that data to a file a have Splunk monitor it after your script gets it?

Let me know your thoughts

0 Karma

rodkinal
New Member

Hello Tiago! Sounds great but after take a look into the file, I release that it only allows to perform searches. I've been investigating and it looks like submit.py may do what he's looking for. Could anyone confirm that?

0 Karma

tiagofbmm
Influencer

Yes I believe it is exactly what you need: command line utility that submits event data to Splunk from stdin.command line utility that submits event data to Splunk from stdin.

0 Karma

rodkinal
New Member

I'm taking a look into it 🙂 Thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...