Filebeat's httpjson
input can be used query Splunk's REST API and ingest the original data. This doesn't make use of any Splunk processing (CIM or apps). This doc covers 2 common use cases. The first is when you want to ingest from the current forward. For example if you want to compare how Splunk and Elastic differ in detections on the same data. The second use case is when you want to ingest historical data. For example if you want to pull in the last 6 months of data to compare how Splunk and Elastic differ. This method is good for comparing Elastic and Splunk, but shouldn't be considered a final ingest strategy for customers.
This will only work for Filebeat modules where the raw message stored in splunk is the same as what the input provides. Modules that won't work are netflow and Winlogbeat because each of those does heavy processing on the raw data.
#!/usr/bin/env python3 | |
import argparse | |
import json | |
import os | |
import pprint | |
import difflib | |
def parse_args(): | |
parser = argparse.ArgumentParser() |
-
Install Homebrew https://brew.sh/
-
Install python3 with homebrew
brew install python
-
Install go with Homebrew
brew install golang
-
Install Docker with Homebrew (start it after install, should be in Applications folder)
brew cask install docker