this is an interesting use case. It won't be trivial to implement this because it's not officially supported. Here are some pieces you would need to do this:
It's possible to create new routes on the Kibana server by installing plugins. Check out the default plugin created by the plugin generator, it contains a server route. You can register a javascript callback that will be called if a request is sent to the path of your registered route. From there you can invoke your python script from javascript and forward the paramater - this blog post for example shows how this can be done.
To actually trigger the server side route your Kibana plugin also needs a client side part that listens to created filters and calls the server side route if the filter is created. The plugin generator will also generate examplary client side code you can start with. In your case the hack.js file would be the right place to start because it will be included into each page of Kibana. Currently there is no stable API to get notified when a filter changes - it would be possible to integrate with the Kibana app using angular dependency injection and the appState service, but that API will be removed soon in an upcoming version. The easiest way to hook into this right now would be to listen for URL changes because all filters are persisted in the URL. By parsing the _a and _g parameters as rison, you get an object back containing the filters.
E.g. in this URL http://localhost:5301/ihx/app/kibana#/discover?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-15m,to:now))&_a=(columns:!(_source),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:ff959d40-b880-11e8-a6d9-e546fe2bba5f,key:ip,negate:!f,params:(query:'127.0.0.1'),type:phrase),query:(match_phrase:(ip:'127.0.0.1')))),index:ff959d40-b880-11e8-a6d9-e546fe2bba5f,interval:auto,query:(language:kuery,query:''),sort:!(!(order_date,desc))) the filter ip:127.0.0.1is encoded. By checking the value of these objects on every url change, you can detect when an ip filter is changed. Then you can use the kfetch (import { kfetch } from 'ui/kfetch';) utility to call your server side route.
Be aware though that all client side logic like this can be circumvented by a malicious user (e.g. blocking the request to your server side route), so if that's an issue for your use case, you should move all logic to the server side (e.g. by intercepting search requests made to Elasticsearch with a proxy server)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.