Re: How can I send event log to custom search comm...

bkhwang · ‎12-30-2022

Hello !!

I want to read index=test line by line and then analyze log by log_dict and parser_log function..

is it possible??

I am very desperate to solve this problem. please help me..ㅠ.ㅠ

@Configuration()
class GenerateTESTCommand(GeneratingCommand):
    
    event_log = read event_log(index)
    
    def generate(self):
        log = self.log_dict(self.event_log)
        if log:
            try:
                result = self.parse_log(log)
                yield result
                
            except BaseException as ex:
                print(log, ex)

ITWhisperer · ‎12-30-2022

If you are struggling to write a custom command, perhaps if you describe exactly what you are trying to achieve, there may be another way to do it with SPL?

bkhwang · ‎12-30-2022

Event log looks like event_log = ' "srcip" = "1.1.1.1"'

Analyze event_log using python script(searchcommand)

After analyze, new_log made

python script -> shodan.api(event_log) -> new_log

new_log = '"srcip" = "1.1.1.1", "srccountry=Japan"'

bkhwang · ‎12-30-2022

Umm I want to analyze my office log by other platform(like shodan)

Firtst, I send firewall log to splunk server and make index like index='test'

Second, if new log occured, my custom searchcommands read log and return new log which analyzed by shodan, censys.

Third, Draw graphes on dashboard with a new log

ITWhisperer · ‎12-30-2022

That doesn't really explain what analysis shodan is doing so it is not possible to determine whether this could be done in SPL instead.

How can I send event log to custom search commands

using Splunk Enterprise

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?