Archive

commands.conf not updating custom search commands

Explorer

I have created a custom search command and placed my py file in search/bin and then I have created search/local/commands.conf file and added

[data]
filename = data.py
streaming = false
changes_colorder = false

However when I restart splunk on the web interface the search command doesn't show up. And when I change the name of a command in the default/commands.conf file and restart splunk that doesn't show up either.

I have a test server that I tried everything on first and it all worked fine but as when I made the same changes on a search head we use everyday the search command doesn't show up under custom search commands.

I am using ubuntu and splunk version 4.3.2.

Is there something that is stopping splunk from grabbing the config files?
Any help would be appreciated.

Thanks,
Lucas

1 Solution

Communicator

Did you check your python script has execution rights and you can run it manually?

I'm not sure if it's the best idea to add custom search commands under search -app. I would package them as separate apps/add-ons in their own directories to make sure nothing gets overwritten in next Splunk upgrade. I wrote an example of plugging legacy scripts as Splunk search commands. I hope that will help you find what you were missing.

View solution in original post

Communicator

Did you check your python script has execution rights and you can run it manually?

I'm not sure if it's the best idea to add custom search commands under search -app. I would package them as separate apps/add-ons in their own directories to make sure nothing gets overwritten in next Splunk upgrade. I wrote an example of plugging legacy scripts as Splunk search commands. I hope that will help you find what you were missing.

View solution in original post

Explorer

So it turns out that we use a shared directory that is linked to all of our splunk instances that we use. I didn't know that so I was installing everything to the wrong folder.

Thanks

0 Karma

Explorer

I am able to run the scripts on the machine that splunk is installed on, and I have already checked permission and everything looks identical to my test machine. Hopefully the local directory that I created in the search app will not be overridden if we do update but I will look into the separate app.

0 Karma