topic Re: Server Side Execution in Splunk Search

Server Side Execution

lwalhoefer — Thu, 03 Mar 2011 22:27:51 GMT

Hi,

does Splunk has a possibility to run server side scripts (python, ruby) based on a splunk search result? The search output should be the input (e.g. a number or list of numbers) for the server side script.

Something like this: ... | fields X | my_server_script X

Thanks!

Re: Server Side Execution

dwaddle — Thu, 03 Mar 2011 22:33:53 GMT

This should be possible by defining a custom search command. Your new search command extends the Splunk search language, and Splunk uses your new command by calling the script that implements it. Some of the existing commands in Splunk (iplocation) are implemented using this facility. These scripts are currently expected to be python scripts. A "runshellscript" command exists in my $SPLUNK_HOME/etc/apps/search/default/commands.conf that looks somewhat interesting.

Your command would receive a stdin dump of the current search results, which you could do as you please with.

Docs at http://www.splunk.com/base/Documentation/latest/SearchReference/Aboutcustomsearchcommands

Re: Server Side Execution

piebob — Thu, 03 Mar 2011 23:51:57 GMT

you could also define a scripted alert that fires off a script using search results when a set condition is met:

http://www.splunk.com/base/Documentation/latest/Admin/Configurescriptedalerts