I have created a search command for Splunk which will allow you to search Elastic Search and display the results in the Splunk GUI
This project is now a valid splunk application and installs as you would any other splunk applications
Steps
Install python if it is not installed
Install ElasticSearch https://github.com/elasticsearch/elasticsearch-py
"pip install elasticsearch "
This project is now a Splunk Application so just copy the splunk-elasticsearch/search-elasticsearch directory to your splunk $SPLUNK_HOME/etc/apps directory and should work
======================================================
git clone "This Project"
rsync -av splunk-elasticsearch/search-elasticsearch $SPLUNK_HOME/etc/apps
Now you should be able to do a simple search like
| es | top message
or
| es oldest=now-100d earliest=now query="some text" index=nagios* limit=1000 field=message
================================================
command reference:
es
oldest = default (now-1d) uses elasticsearch timedate value or function
earliest = default (now) uses elasticsearch timedate value or function
index = default () sepecify the elasticsearch index to search
limit = default (50) number of records to return
field = default ("message") which elasticsearch field to query and return the value
query = default ("" | might change this to match_all) the elasticsearch query_string