Re: Execute Splunk SPL in custom command

randomforests09 · ‎06-11-2019

Hi,

Im building my first own Splunk app with python. Now I'm asking if it's possible to execute Splunk SPL with the records I receive?

An example:

| input lookup data.csv | fields computer user bytes location | mycommand

Now "mycommand" receives the data in a python script.

Python -> execute "| where bytes > 7000"

Now the command should return the data.csv with bytes higher than 7000. The filtering was executed on the app.

Thanks for your help!

pramit46 · ‎06-18-2019

Hi @randomforests09

You can refer the following links for help in building a custom command:

http://dev.splunk.com/view/SP-CAAAFFT
http://dev.splunk.com/view/custom-spl/SP-CAAAFG3

What I suggest is, you form the whole query directly in your python script. Then execute the search from the script itself.
you will find a few examples here: http://dev.splunk.com/view/python-sdk/SP-CAAAEE5

Do let me know if that helps.

dmarling · ‎06-11-2019

You may get more mileage out of an existing solution in Splunk by using a search macro instead a python script to execute more SPL. Check out a previously solved answer where a macro is created that takes in a token which passes through the value to the SPL: https://answers.splunk.com/answers/747953/can-i-execute-several-functions-with-a-single-perh.html#an...

Your example would then be this using the logic in that solution:

| inputlookup data.csv
| fields computer user bytes location 
| ` mycommand(7000)`

If this comment/answer was helpful, please up vote it. Thank you.

How to execute Splunk SPL with the results from a custom command?

app

python

scripted input

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...