topic Re: Adding python script to search app in Splunk Search

Adding python script to search app

bkirk — Wed, 04 Jun 2014 13:58:33 GMT

I have python script I want to add to the search app in splunk 5.0.3, I found some documentation: http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/AddthecustomcommandtoSplunk

Now to make sure I am doing things correctly I copied the uniq.py and called it test.py and modified the commands.conf all in the $SPLUNK_HOME/etc/apps/search folder.

After restarting splunk I can see the script in: Manager > Advanced search > Search commands

However when I tried to use it I get an error:

Error in 'test' command: This command must be the first command of a search.

Meanwhile uniq work fine, obviously since that was built into splunk.

Thank you,

Brian

Re: Adding python script to search app

LukeMurphey — Wed, 04 Jun 2014 16:12:06 GMT

How are you calling the command? Your search should have a leading pipe and your command being the first command; something like:

| test

Re: Adding python script to search app

bkirk — Wed, 04 Jun 2014 19:19:51 GMT

Yes, when I do {my search} | uniq I get my expected results however when I do {my search} | test I get:

Error in 'test' command: This command must be the first command of a search.

Re: Adding python script to search app

bkirk — Tue, 10 Jun 2014 20:24:56 GMT

Ok I was able to get my custom python script to work however I needed to do the following:

Add my script to the $SPLUNK_HOME/etc/system/bin directory
Modify the $SPLUNK_HOME/etc/system/default/transforms.conf to include the fields:

[myscript] external_cmd = myscript.py InputField OutputField fields_list = InputField OutputField

Use my script as follows:

{My Search} |lookup myscript InputField as SearchField |table OutputField

Thank you,
Brian