Splunk Enterprise

How can I send event log to custom search commands

bkhwang
Explorer

 

Hello !!

I want to read index=test line by line and then analyze log by  log_dict and parser_log  function..

is it possible?? 

I am very desperate to solve this problem. please help me..ㅠ.ㅠ

 

 

 

@Configuration()
class GenerateTESTCommand(GeneratingCommand):
    
    event_log = read event_log(index)
    
    def generate(self):
        log = self.log_dict(self.event_log)
        if log:
            try:
                result = self.parse_log(log)
                yield result
                
            except BaseException as ex:
                print(log, ex)

 

 

 

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you are struggling to write a custom command, perhaps if you describe exactly what you are trying to achieve, there may be another way to do it with SPL?

0 Karma

bkhwang
Explorer

Event log looks like  event_log = ' "srcip" = "1.1.1.1"'

Analyze event_log using python script(searchcommand)

After analyze, new_log made

python script -> shodan.api(event_log) -> new_log

new_log = '"srcip" = "1.1.1.1", "srccountry=Japan"'

0 Karma

bkhwang
Explorer

Umm  I want to analyze my office log by other platform(like shodan)  

Firtst, I send firewall log  to splunk server and make index  like index='test'

Second, if new log occured, my custom searchcommands read log and return new log which analyzed by shodan, censys.

Third, Draw  graphes on dashboard with a new log 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That doesn't really explain what analysis shodan is doing so it is not possible to determine whether this could be done in SPL instead.

0 Karma
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...