Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import json
- import splunklib.client as client
- from elasticsearch import Elasticsearch
- def elasticsearch_query(es_hostname, es_port, index_alias,es_query_body):
- """Query ElasticSearch as per Defined Query"""
- es_client = Elasticsearch([{'host': es_hostname, 'port': es_port}])
- check_index = True
- while check_index:
- if es_client.indices.exists(index=index_alias):
- response = es_client.search(index=index_alias,body=es_query_body)
- check_index = False
- return response
- def upload_to_splunk(ip,port,username, password, data):
- "Send Collected Data to Splunk."
- service = client.connect(
- host=ip,
- port=port,
- username=username,
- password=password,
- verify=False,
- )
- target = service.indexes['main']
- for line in data:
- target.submit(event=str(line), sourcetype="json_no_timestamp")
- return True
- if __name__ == '__main__':
- query_size = 5
- query_body = {"size": query_size,"query": {"term" : { "type" : "TCA-PartnerVMsAntiSoofPackettoDatacenterAPPDBVMs"
- } },"sort": [{"timestamp": "asc"},
- {"_uid": "desc"}]}
- query_data_len = 0
- while query_data_len ==0:
- query_output = elasticsearch_query("localhost", "9200", "nuage_event", query_body )
- query_data = query_output["hits"]["hits"]
- query_data_len = len(query_data)
- if query_data_len != 0:
- upload_to_splunk("10.0.0.4","8089", "admin", "Splunk-R0ck5!", query_data)
- first_last_value_timestamp = query_data[-1]["sort"][0]
- first_last_value_uid = query_data[-1]["sort"][1]
- es_index_values = { "last_timestamp": first_last_value_timestamp, "last_uid": first_last_value_uid}
- with open('/usr/local/bin/vss-splunk/timestamps.txt', 'w') as file:
- file.write(json.dumps(es_index_values))
- file.write('\n')
- for item in query_data:
- with open('/usr/local/bin/vss-splunk/data.txt', 'a') as file:
- file.write("%s\n" % item)
- update_timestamp = first_last_value_timestamp
- update_uid = first_last_value_uid
- while True:
- updated_query_body = {"size": query_size,"query": {"term" : { "type" : "TCA-PartnerVMsAntiSoofPackettoDatacenterAPPDBVMs"} },
- "search_after": [update_timestamp,update_uid],
- "sort": [{"timestamp": "asc"},{"_uid": "desc"}]}
- updated_query_output = elasticsearch_query("localhost", "9200", "nuage_event", updated_query_body)
- updated_query_data = updated_query_output["hits"]["hits"]
- updated_query_len = len(updated_query_data)
- if updated_query_len != 0:
- upload_to_splunk("10.0.0.4","8089", "admin", "Splunk-R0ck5!", updated_query_data)
- update_timestamp = updated_query_data[-1]["sort"][0]
- update_uid = updated_query_data[-1]["sort"][1]
- es_index_values = { "last_timestamp": update_timestamp, "last_uid": update_uid}
- with open('/usr/local/bin/vss-splunk/timestamps.txt', 'w') as file:
- file.write(json.dumps(es_index_values))
- file.write('\n')
- for item in updated_query_data:
- with open('/usr/local/bin/vss-splunk/data.txt', 'a') as file:
- file.write("%s\n" % item)
Add Comment
Please, Sign In to add comment