topic Help needed with Custom Command in Splunk Dev

Help needed with Custom Command

bloodstrife — Tue, 17 Sep 2013 03:20:23 GMT

Hi there, I have just started working on Splunk and is totally new to Python.
For my situation, I would like to create a custom command just like any other commands(e.g. Top/ Rare), I would like my custom command to display the current system time.

here is my Python script:
CurrentTime.py

import time;

localtime = time.localtime(time.time())
print "Local current time :", localtime

And here is my commands.conf

[CurrentTime]
type = python
filename = CurrentTime.py
streaming = false
generating = false

Not sure if the above codes are correct, but if they were functional, what should I do to actually get it to display the current system time on my Splunk app?

Re: Help needed with Custom Command

HiroshiSatoh — Tue, 17 Sep 2013 07:20:14 GMT

It is output by a screen if I make modifications in this way.
Please learn it to see a document and a sample. I think that it is simple and can refer to uniq.py of the search.

CurrentTime.py

import time
from splunk.Intersplunk import getOrganizedResults, outputResults, getKeywordsAndOptions
results, dummy, settings = getOrganizedResults()

#localtime = time.localtime(time.time())
localtime = time.asctime(time.localtime())

results = []
event = {}
event['message'] = "Local current time :" + localtime
results.append(event)
outputResults(results)

Re: Help needed with Custom Command

MuS — Tue, 17 Sep 2013 07:24:26 GMT

Hi bloodstrife

after you put your script into etc/apps/YourApp/bin folder and placed the commands.conf into etc/apps/YourApp/default folder, restart Splunk and switch to YourApp. There simply enter the following search command:

  | CurrentTime

and this will run your command.

But I tested your script and the output is none. Here is a quick and dirty rewrite to get it printing current time in csv like output that Splunk likes:

import time;
mytime = time.localtime(time.time())
print "my_year ,my_mon ,my_mday ,my_hour ,my_min ,my_sec ,my_wday ,my_yday" 
print "%s, %s, %s ,%s ,%s ,%s ,%s ,%s" % (mytime.tm_year, mytime.tm_mon, mytime.tm_mday, mytime.tm_hour, mytime.tm_min, mytime.tm_sec, mytime.tm_wday, mytime.tm_yday)

I'm pretty sure there are better ways to do this in python 😉
But nevertheless hope that helps ....

Cheers, MuS

Re: Help needed with Custom Command

jonuwz — Tue, 17 Sep 2013 12:23:43 GMT

Or you could just do this to get the exact time the event was processed (different for each event)

| eval current_time=time()

Or this to get the time the search was kicked off:

| eval current_time=now()