Untitled

import json
import splunklib.client as client
from elasticsearch import Elasticsearch

def elasticsearch_query(es_hostname, es_port, index_alias,es_query_body):
    """Query ElasticSearch as per Defined Query"""
    es_client = Elasticsearch([{'host': es_hostname, 'port': es_port}])
    check_index = True
    while check_index:
        if es_client.indices.exists(index=index_alias):
            response = es_client.search(index=index_alias,body=es_query_body)
            check_index = False
            return response

def upload_to_splunk(ip,port,username, password, data):
    "Send Collected Data to Splunk."
    service = client.connect(
        host=ip,
        port=port,
        username=username,
        password=password,
        verify=False,
        )
    target = service.indexes['main']
    for line in data:
        target.submit(event=str(line), sourcetype="json_no_timestamp")
    return True

if __name__ == '__main__':
    query_size = 5
    query_body = {"size": query_size,"query": {"term" : { "type" : "TCA-PartnerVMsAntiSoofPackettoDatacenterAPPDBVMs"
                  } },"sort": [{"timestamp": "asc"},
                  {"_uid": "desc"}]}

    query_data_len = 0
    while query_data_len ==0:
        query_output = elasticsearch_query("localhost", "9200", "nuage_event", query_body )
        query_data = query_output["hits"]["hits"]
        query_data_len = len(query_data)
        if query_data_len != 0:
            upload_to_splunk("10.0.0.4","8089", "admin", "Splunk-R0ck5!", query_data)
            first_last_value_timestamp = query_data[-1]["sort"][0]
            first_last_value_uid = query_data[-1]["sort"][1]
            es_index_values = { "last_timestamp": first_last_value_timestamp, "last_uid": first_last_value_uid}
            with open('/usr/local/bin/vss-splunk/timestamps.txt', 'w') as file:
                file.write(json.dumps(es_index_values))
                file.write('\n')
            for item in query_data:
                with open('/usr/local/bin/vss-splunk/data.txt', 'a') as file:
                    file.write("%s\n" % item)

    update_timestamp = first_last_value_timestamp
    update_uid = first_last_value_uid
    while True:
        updated_query_body  = {"size": query_size,"query": {"term" : { "type" : "TCA-PartnerVMsAntiSoofPackettoDatacenterAPPDBVMs"} },
                              "search_after": [update_timestamp,update_uid],
                             "sort": [{"timestamp": "asc"},{"_uid": "desc"}]}
        updated_query_output = elasticsearch_query("localhost", "9200", "nuage_event", updated_query_body)
        updated_query_data = updated_query_output["hits"]["hits"]
        updated_query_len = len(updated_query_data)
        if updated_query_len != 0:
            upload_to_splunk("10.0.0.4","8089", "admin", "Splunk-R0ck5!", updated_query_data)
            update_timestamp = updated_query_data[-1]["sort"][0]
            update_uid = updated_query_data[-1]["sort"][1]
            es_index_values = { "last_timestamp": update_timestamp, "last_uid": update_uid}
            with open('/usr/local/bin/vss-splunk/timestamps.txt', 'w') as file:
                file.write(json.dumps(es_index_values))
                file.write('\n')
            for item in updated_query_data:
                with open('/usr/local/bin/vss-splunk/data.txt', 'a') as file:
                    file.write("%s\n" % item)