All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

How to run custom python script from search app?

realsplunk
Builder
โ€Ž11-22-2017 09:05 AM

Hello,

I would like to call scorelookup.py directly from splunk search using | scorelookup ip 0 (also why must we add an argument after the ip?)

I think I should create commands.conf in etc/apps/search/local

Thanks.

0 Karma
Reply

mmaier_splunk
Splunk Employee
Splunk Employee
โ€Ž11-27-2017 09:31 AM

Hi realsplunk,

i think you are asking that you want to call it from the search app. I just did a default installation and the lookup definition you found is set to global by default. So it should work in the search app - scripted lookup is called "threatscore" - not scorelookup. It's also not a search command - it's a scripted lookup so you need to add "lookup" in front of it.

correct use:
lookup threatscore clientip as %yourcustomfieldifnotclientip%

In the lookup you do not need to add another parameter (0). That's just in the config what's coming back to Splunk (IP+Score is sent back from the script into Splunk then).

Hope that helps you.
Best

0 Karma
Reply

micahkemp
Champion
โ€Ž11-22-2017 09:09 AM

You're looking for a custom search command, it seems. The scope of implementing one can be large (or not so large), but you probably want to start here:

http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

0 Karma
Reply