Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you run a Python script on (or before) an index?

agro1986001
Engager
‎01-23-2019 05:22 AM

Hi,

Is it possible to create a custom app on Splunk so that will run a Python script on a custom source (or sourcetype) before a new item is indexed? Specifically, I would also like to access the data that is incoming.

Suppose I have this event coming into splunk:

eventName=newUser firstName=henry lastName=adams

I would like to intercept it and then perhaps add fullName="henry adams"

PS: on my use case, I have to do the processing on/before index, so I cannot use real time alerts.

Best regards

Labels (1)
Labels
0 Karma
Reply

rameshprasad
New Member
‎12-10-2019 02:12 AM

Hi, I have a similar requirement where I want to intercept the event and want to modify the value of a field which will again come from a REST call. Basically I want to execute a script before sending the fields to index. I am getting data through HTTP Event Collector. Is this possible to do in Splunk?

0 Karma
Reply

vishaltaneja070
Motivator
‎01-23-2019 05:26 AM

Hello @agro1986001
I think the below example can be achieved using props and transform using regex

In Splunk using regex, you can replace the data inside the event. 

https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction
0 Karma
Reply

agro1986001
Engager
‎01-23-2019 05:34 AM

Hi @vishaltaneja07011993

I gave a simple example of reading data, but unfortunately what I'm doing is not just that. Let's say for example that my python script wants to write to a database (mysql, redis, etc.), which cannot be done using just splunk (only an example. the point is I really want a python script to be called). I want to know whether it's technically possible or not.

Thanks a lot!

0 Karma
Reply

vishaltaneja070
Motivator
‎01-23-2019 05:37 AM

@agro1986001

Okay. Yes you can call python script through splunk using inputs.conf. 

https://docs.splunk.com/Documentation/Splunk/7.2.3/AdvancedDev/ScriptedInputsIntro

And secondly, if we forward data to database from Splunk, you can relay on db connect as well.

0 Karma
Reply

agro1986001
Engager
‎01-23-2019 05:46 AM

Thanks, but that's different than what I want to accomplish.

I'm not trying to make a script that inputs data to splunk.

I already have data flowing into splunk. I just want a script to be called for every event before that event gets indexed.

0 Karma
Reply

vishaltaneja070
Motivator
‎01-23-2019 05:57 AM

@agro1986001

Sorry that doesn't seem to feasible using Splunk.

After indexing, i think still it is possible if you save it as alert but not before indexing.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...