-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Shashank Reddy Boyapally <[email protected]>
- Loading branch information
1 parent
3229459
commit f943b2d
Showing
3 changed files
with
74 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
# pylint: disable = C0209, R0913, E0401 | ||
""" | ||
Matcher for splunk datasource | ||
""" | ||
from typing import Dict, Any | ||
import orjson | ||
from splunklib import client, results | ||
|
||
|
||
class SplunkMatcher: | ||
"""Splunk data source matcher""" | ||
|
||
def __init__( | ||
self, host: str, port: int, username: str, password: str, indice: str | ||
): # pylint: disable = R0917 | ||
self.indice = indice | ||
self.service = client.connect( | ||
host=host, port=port, username=username, password=password | ||
) | ||
|
||
async def query( | ||
self, query: Dict[Any, Any], searchList: str = "", max_results: int = 10000 | ||
): | ||
""" | ||
Query data from splunk server using splunk lib sdk | ||
Args: | ||
query (string): splunk query | ||
OPTIONAL: searchList (string): additional query parameters for index | ||
""" | ||
query["count"] = max_results | ||
|
||
# If additional search parameters are provided, include those in searchindex | ||
searchindex = ( | ||
"search index={} {}".format(self.indice, searchList) | ||
if searchList | ||
else "search index={}".format(self.indice) | ||
) | ||
try: | ||
oneshotsearch_results = self.service.jobs.oneshot(searchindex, **query) | ||
except Exception as e: # pylint: disable = W0718 | ||
print("Error querying splunk: {}".format(e)) | ||
return None | ||
|
||
# Get the results and display them using the JSONResultsReader | ||
res_array = [] | ||
async for record in self._stream_results(oneshotsearch_results): | ||
try: | ||
res_array.append( | ||
{ | ||
"data": orjson.loads(record["_raw"]), # pylint: disable = E1101 | ||
"host": record["host"], | ||
"source": record["source"], | ||
"sourcetype": record["sourcetype"], | ||
"bucket": record["_bkt"], | ||
"serial": record["_serial"], | ||
"timestamp": record["_indextime"], | ||
} | ||
) | ||
except Exception as e: # pylint: disable = W0718 | ||
print(f"Error on including Splunk record query in results array: {e}") | ||
|
||
return res_array | ||
|
||
async def _stream_results(self, oneshotsearch_results: Any) -> Any: | ||
for record in results.JSONResultsReader(oneshotsearch_results): | ||
yield record | ||
|
||
async def close(self): | ||
"""Closes splunk client connections""" | ||
await self.service.logout() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters