https://community.splunk.com/t5/Splunk-Dev/Add-an-add-on-command-in-splunk/m-p/670674#M11277 <P>You may find our documentation on custom search commands helpful:&nbsp;<A href="https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/" target="_blank">https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/</A></P><P>This topic includes some useful information on building different types of custom search commands as well as links to examples.</P> Mon, 04 Dec 2023 16:47:21 GMT thellmann 2023-12-04T16:47:21Z https://community.splunk.com/t5/Splunk-Dev/Add-an-add-on-command-in-splunk/m-p/668669#M11255 <P>I want to add a command to my add on, with the aim of passing the splunk spl query results to that command, and then processing it to return the data to splunk's statistical information.</P><P>there is my spl command:index="test" | stats count by asset | eval to_query=asset | fields to_query | compromiseBut the processing of requests in my command is synchronous, which consumes a lot of time</P><DIV>def stream(self, records):<DIV>&nbsp;&nbsp;&nbsp;&nbsp;for record in records:<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;logger.info(records)<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;to_query = record.get("to_query")<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;data = self.ti_compromise(to_query)<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;logger.info(data)<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if data:<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;res = deepcopy(record)<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if data[to_query]:<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;for ioc in data[to_query]:<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if not ioc["ioc"][2]:<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ioc["ioc"][2] = " "<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;res.update({PREFIX + key: value for key, value in ioc.items()})<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;yield res<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;else:<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;res.update(EMPTY_RTN)<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;yield res<DIV>&nbsp;<DIV>&nbsp;<DIV>The method of "self.ti_compromise(to_query)" is to request other interfaces.<DIV>&nbsp;<DIV>Can I modify the above method to concurrent processing on Splunk?　If possible, which plan would be better。<DIV>Also, can the statistical information of Splunk receive list types, such as：<DIV>&nbsp;<DIV><PRE>[<BR /> {<BR /> <SPAN>"alert_name": <SPAN>"aaaaaaaaaaaa"<SPAN>,<BR /> <SPAN>"campaign": <SPAN>""<SPAN>,<BR /> <SPAN>"confidence": <SPAN>""<SPAN>,<BR /> <SPAN>"current_status": <SPAN>""<SPAN>,<BR /> }<SPAN>,<BR /> {<BR /> <SPAN>"alert_name": <SPAN>"bbbbbbbbbbbb"<SPAN>,<BR /> <SPAN>"campaign": <SPAN>""<SPAN>,<BR /> <SPAN>"confidence": <SPAN>""<SPAN>,<BR /> <SPAN>"current_status": <SPAN>""<SPAN>,<BR /><SPAN><BR /> }<BR /><BR />]</SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></PRE></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup"></LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 21 Nov 2023 21:08:07 GMT https://community.splunk.com/t5/Splunk-Dev/Add-an-add-on-command-in-splunk/m-p/668669#M11255 lremember 2023-11-21T21:08:07Z https://community.splunk.com/t5/Splunk-Dev/Add-an-add-on-command-in-splunk/m-p/669396#M11268 <P>Synchronous processing is the norm for a streaming command.&nbsp; Perhaps you want a reporting command.&nbsp; See the bottom of <A href="https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.4/index.html" target="_blank">https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.4/index.html</A> for command types.</P> Tue, 21 Nov 2023 21:19:41 GMT https://community.splunk.com/t5/Splunk-Dev/Add-an-add-on-command-in-splunk/m-p/669396#M11268 richgalloway 2023-11-21T21:19:41Z https://community.splunk.com/t5/Splunk-Dev/Add-an-add-on-command-in-splunk/m-p/670674#M11277 <P>You may find our documentation on custom search commands helpful:&nbsp;<A href="https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/" target="_blank">https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/</A></P><P>This topic includes some useful information on building different types of custom search commands as well as links to examples.</P> Mon, 04 Dec 2023 16:47:21 GMT https://community.splunk.com/t5/Splunk-Dev/Add-an-add-on-command-in-splunk/m-p/670674#M11277 thellmann 2023-12-04T16:47:21Z