How can I send event log to custom search commands

bkhwang · ‎12-30-2022

Hello !!

I want to read index=test line by line and then analyze log by log_dict and parser_log function..

is it possible??

I am very desperate to solve this problem. please help me..ㅠ.ㅠ

@Configuration()
class GenerateTESTCommand(GeneratingCommand):
    
    event_log = read event_log(index)
    
    def generate(self):
        log = self.log_dict(self.event_log)
        if log:
            try:
                result = self.parse_log(log)
                yield result
                
            except BaseException as ex:
                print(log, ex)

ITWhisperer · ‎12-30-2022

If you are struggling to write a custom command, perhaps if you describe exactly what you are trying to achieve, there may be another way to do it with SPL?

bkhwang · ‎12-30-2022

Event log looks like event_log = ' "srcip" = "1.1.1.1"'

Analyze event_log using python script(searchcommand)

After analyze, new_log made

python script -> shodan.api(event_log) -> new_log

new_log = '"srcip" = "1.1.1.1", "srccountry=Japan"'

bkhwang · ‎12-30-2022

Umm I want to analyze my office log by other platform(like shodan)

Firtst, I send firewall log to splunk server and make index like index='test'

Second, if new log occured, my custom searchcommands read log and return new log which analyzed by shodan, censys.

Third, Draw graphes on dashboard with a new log

ITWhisperer · ‎12-30-2022

That doesn't really explain what analysis shodan is doing so it is not possible to determine whether this could be done in SPL instead.

How can I send event log to custom search commands

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?