Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Running external script from search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to generate events through an external script from the search, using the script command. Splunk says the command does not exist in commands.conf. However, the documentation for the script command doesn't say that the script needs to exist in commands.conf. Is this just a simple omission, or am I doing something wrong?
This is what I'm trying to do:
| script perl foo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've not used the "script" command before, but I do use external scripts as custom commands. This involves setting up the "commands.conf" file.
Your script should live within the "bin" directory of your app, e.g. $SPLUNK_HOME/etc/apps/<appName>/bin/, you should then add something like the following to the app's "local" directory...
[exampleCommand]
filename = script.pl
type = perl
You can then call the script in Splunk like the following assuming you have 2 arguments.
*| exampleCommand arg1 arg2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to
the documentation for the script command you can't use script like you are thinking.
script calls an external python program that can modify or generate search results. Scripts must be declared in the commands.conf file and be located in the $SPLUNK_HOME/etc/apps//bin/ directory. The script is executed using $SPLUNK_HOME/bin/python
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've not used the "script" command before, but I do use external scripts as custom commands. This involves setting up the "commands.conf" file.
Your script should live within the "bin" directory of your app, e.g. $SPLUNK_HOME/etc/apps/<appName>/bin/, you should then add something like the following to the app's "local" directory...
[exampleCommand]
filename = script.pl
type = perl
You can then call the script in Splunk like the following assuming you have 2 arguments.
*| exampleCommand arg1 arg2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I couldn't help on the command itself, but good job on getting a solution working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How the script command is supposed to be used is still a bit unclear to me, but editing commands.conf certainly works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes, this is pretty much what is described in the documentation about custom commands in the documentation. The documentation for the script command led me to believe you can avoid editing commands.conf.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
