Improve Humio imports.

keithjjones · keithjjones · commit 078b531dc277 · 2022-08-18T09:22:29.000-04:00
diff --git a/CHANGES b/CHANGES
@@ -1,3 +1,4 @@
+v0.3.15         Improved Humio import.
 v0.3.14         Removed a print statement.
 v0.3.13         Fixed some errors on Humio import.
 v0.3.12         Will continue to populate data after a Humio error.
diff --git a/Readme.md b/Readme.md
@@ -17,6 +17,7 @@ logs into [ElasticSearch's bulk load JSON format](https://www.elastic.co/guide/e
 - [Command Line Options](#commandlineoptions)
 - [Requirements](#requirements)
 - [Notes](#notes)
+  - [Humio](#humio)
   - [JSON Log Input](#jsonloginput)
   - [Data Streams](#datastreams)
   - [Helper Scripts](#helperscripts)
@@ -318,6 +319,18 @@ You will need to add -k -u elastic_user:password if you are using Elastic v8+.
 
 ## Notes <a name="notes" />
 
+### Humio <a name="humio" />
+
+To import your data into Humio you will need to set up a repository with the `corelight-json` parser.  Obtain
+the ingest token for the repository and you can import your data with a command such as:
+
+```
+python3 zeek2es.py -s -b --humio http://localhost:8080 b005bf74-1ed3-4871-904f-9460a4687202 http.log 
+```
+
+The URL should be in the format of: `http://yourserver:8080`, as the rest of the path is added by the
+`zeek2es.py` script automatically for you.
+
 ### JSON Log Input <a name="jsonloginput" />
 
 Since Zeek JSON logs do not have type information like the ASCII TSV versions, only limited type information 
diff --git a/zeek2es.py b/zeek2es.py
@@ -445,7 +445,14 @@ def main(**args):
                         # Prepare the output and increment counters
                         if args['humio']:
                             d['ts'] = d['ts'] + "Z"
-                            d["_write_ts"] = d["ts"]
+                            if "_write_ts" in d:
+                                d['_write_ts'] = d['_write_ts'] + "Z"
+                            else:
+                                d["_write_ts"] = d["ts"]
+                            if "_path" not in d:
+                                d["_path"] = zeek_log_path
+                            if (len(args['name'].strip()) > 0):
+                                d["_system_name"] = args['name'].strip()
                         d["@timestamp"] = d["ts"]
                         outstring += json.dumps(d)+"\n"
                         n += 1

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+v0.3.15 Improved Humio import.`
`1`	`2`	`v0.3.14 Removed a print statement.`
`2`	`3`	`v0.3.13 Fixed some errors on Humio import.`
`3`	`4`	`v0.3.12 Will continue to populate data after a Humio error.`