I am currently working on an integration from a python scrip, collecting a JSON object, and parsing it to an event via the Splunk Add-on Builder however the object does not seem to appear within Splunk.
From the Add-on Builder code, I have a loop that cycles round an array extracting objects to ingest as events:
for item in item_group:
helper.log_warning(item)
stat_time = int(time.time())
event = helper.new_event(time=stat_time,source="Addon-Helper", index="testing", sourcetype="_json", data=json.dumps(item))
ew.write_event(event)
helper.log_warning(event)
When I pull the extract from the log I get:
2022-03-08 10:43:56,350 WARNING pid=59367 tid=MainThread file=base_modinput.py:log_warning:302 | {'field_1': 'value_string', 'field_2': 'value_string', 'field_3': 'value_float', 'field_4': 'value_string', 'field_5': ['value_IP'], 'field_6': 'value_string', 'field_7': value_time, 'field_8': 'value_string', 'field_9': 'value_string'}
2022-03-08 10:43:56,351 WARNING pid=59367 tid=MainThread file=base_modinput.py:log_warning:302 | <splunklib.modularinput.event.Event object at 0x7f9072656250>
However, there is nothing added to the "testing" index, nor on wildcard search, nor on error searching for ingestion.
In addition I have tried seeing the data field to a string, which still creates the object but Splunk does not seem to parse it:
event = helper.new_event(time=stat_time,source="Addon-Helper", index="testing", sourcetype="_json", data="Testing String")
ew.write_event(event)
This may simply be a staring too long at a problem kind of challenge and missing something basic but any help would be great.
... View more