Getting Data In

commands.conf not updating custom search commands

ltakato
Explorer

I have created a custom search command and placed my py file in search/bin and then I have created search/local/commands.conf file and added

[data]
filename = data.py
streaming = false
changes_colorder = false

However when I restart splunk on the web interface the search command doesn't show up. And when I change the name of a command in the default/commands.conf file and restart splunk that doesn't show up either.

I have a test server that I tried everything on first and it all worked fine but as when I made the same changes on a search head we use everyday the search command doesn't show up under custom search commands.

I am using ubuntu and splunk version 4.3.2.

Is there something that is stopping splunk from grabbing the config files?
Any help would be appreciated.

Thanks,
Lucas

1 Solution

kallu
Communicator

Did you check your python script has execution rights and you can run it manually?

I'm not sure if it's the best idea to add custom search commands under search -app. I would package them as separate apps/add-ons in their own directories to make sure nothing gets overwritten in next Splunk upgrade. I wrote an example of plugging legacy scripts as Splunk search commands. I hope that will help you find what you were missing.

View solution in original post

kallu
Communicator

Did you check your python script has execution rights and you can run it manually?

I'm not sure if it's the best idea to add custom search commands under search -app. I would package them as separate apps/add-ons in their own directories to make sure nothing gets overwritten in next Splunk upgrade. I wrote an example of plugging legacy scripts as Splunk search commands. I hope that will help you find what you were missing.

ltakato
Explorer

So it turns out that we use a shared directory that is linked to all of our splunk instances that we use. I didn't know that so I was installing everything to the wrong folder.

Thanks

0 Karma

ltakato
Explorer

I am able to run the scripts on the machine that splunk is installed on, and I have already checked permission and everything looks identical to my test machine. Hopefully the local directory that I created in the search app will not be overridden if we do update but I will look into the separate app.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...