Hello,
I'm looking to enrich my search results with WHOIS data from a API call. I'm trying to create an external command to take the domain_name from an event, call the external command, add the json fields that it returns to the existing search results. What I have now replaces all of the search results instead of just adding the fields and doesn't currently work. I really do not know a lot about how the external search commands work. Can anyone give me pointers or have existing scripts that I can modify to work for me? I'll also add that I need to be able to enrich the data from the indexer tier. Possible?
import urllib
import json
import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration
@Configuration()
class ExStreamCommand(StreamingCommand):
def stream(self, records):
for record in records:
domain_name = record.get('domain_name')
url = "http://whoisserver:8080/whois/%s" %(domain_name)
response = urllib.urlopen(url)
data = json.loads(response.read())
yield data
if __name__ == "__main__":
dispatch(ExStreamCommand, sys.argv, sys.stdin, sys.stdout, __name__)
TIA,
Todd
... View more