Writing a scripted input to gather data
Scripted inputs allow you to run some piece of code on a scheduled basis, and capture the output as if it were simply being written to a file. It does not matter what language the script is written in, or where it lives, as long it is executable. We touched on this topic in the Using scripts to gather data section in Chapter 11, Advanced Deployments. Let's write a few more examples.
Capturing script output with no date
One common problem with script output is the lack of a predictable date or date format. In this situation, the easiest thing to do is to tell Splunk to not try to parse a date at all, and instead use the current date instead. Let's make a script that lists open network connections:
from subprocess import Popen
from subprocess import PIPE
from collections import defaultdict
import re
def add_to_key(fieldname, fields):
return " " + fieldname + "+" + fields[fieldname]
output = Popen("netstat -n -p tcp", stdout=PIPE,
...
