Skip to content

Latest commit

 

History

History
38 lines (27 loc) · 1.49 KB

README.md

File metadata and controls

38 lines (27 loc) · 1.49 KB

splunk-elasticsearch

I have created a search command for Splunk which will allow you to search Elastic Search and display the results in the Splunk GUI

This project is now a valid splunk application and installs as you would any other splunk applications Steps
Install python if it is not installed

Install ElasticSearch https://github.com/elasticsearch/elasticsearch-py
"pip install elasticsearch "

This project is now a Splunk Application so just copy the splunk-elasticsearch directory to your splunk $SPLUNK_HOME/etc/apps directory and should work

====================================================== git clone "This Project"
rsync -av splunk-elasticsearch $SPLUNK_HOME/etc/apps

Now you should be able to do a simple search like
| esearch | top message

or
| esearch oldest=now-100d earliest=now query="some text" index=nagios* limit=1000 field=message

================================================
command reference:
esearch
oldest = default (now-1d) uses elasticsearch timedate value or function
earliest = default (now) uses elasticsearch timedate value or function
index = default () sepecify the elasticsearch index to search
limit = default (50) number of records to return
field = default ("message") which elasticsearch field to query and return the value
query = default ("
" | might change this to match_all) the elasticsearch query_string