Is it possible to use the content of a text input token to run a search? So instead of:
index="my_index" | ...
$token_text$ | ...
The goal here is to pass the text content to an external script and then be able to output a result. The text that needs to be analyzed, however, is not within an index, but is provided ad-hoc.
Is this possible?
Hi, In this case you need to create a custom search command. You can find more information here: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2 and here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand
If you need to turn a carefully constructed string of text into "fake" events, check out this Q&A which describes exactly this: