Getting Data In

commands.conf not updating custom search commands

ltakato
Explorer

I have created a custom search command and placed my py file in search/bin and then I have created search/local/commands.conf file and added

[data]
filename = data.py
streaming = false
changes_colorder = false

However when I restart splunk on the web interface the search command doesn't show up. And when I change the name of a command in the default/commands.conf file and restart splunk that doesn't show up either.

I have a test server that I tried everything on first and it all worked fine but as when I made the same changes on a search head we use everyday the search command doesn't show up under custom search commands.

I am using ubuntu and splunk version 4.3.2.

Is there something that is stopping splunk from grabbing the config files?
Any help would be appreciated.

Thanks,
Lucas

1 Solution

kallu
Communicator

Did you check your python script has execution rights and you can run it manually?

I'm not sure if it's the best idea to add custom search commands under search -app. I would package them as separate apps/add-ons in their own directories to make sure nothing gets overwritten in next Splunk upgrade. I wrote an example of plugging legacy scripts as Splunk search commands. I hope that will help you find what you were missing.

View solution in original post

kallu
Communicator

Did you check your python script has execution rights and you can run it manually?

I'm not sure if it's the best idea to add custom search commands under search -app. I would package them as separate apps/add-ons in their own directories to make sure nothing gets overwritten in next Splunk upgrade. I wrote an example of plugging legacy scripts as Splunk search commands. I hope that will help you find what you were missing.

ltakato
Explorer

So it turns out that we use a shared directory that is linked to all of our splunk instances that we use. I didn't know that so I was installing everything to the wrong folder.

Thanks

0 Karma

ltakato
Explorer

I am able to run the scripts on the machine that splunk is installed on, and I have already checked permission and everything looks identical to my test machine. Hopefully the local directory that I created in the search app will not be overridden if we do update but I will look into the separate app.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...