Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calling Custom Commands and returning data to an Eval

jdhart1312
Loves-to-Learn Everything
‎08-08-2024 12:21 PM

I have a custom command that calls a script for nslookup and returns the data to splunk. All of it is working but I want to use this custom command in Splunk to return the data to an eval and output that into a table. For example, the search string would look something like the following: 

 

index="*" 
| iplocation src_ip
| eval testdata = | nslookupsearch dest_ip
| table testdata _time
| sort - _time

 

NOTE: This is not the exact search string, this is just a mock string.

When I run:

 

| nslookupsearch Record_Here

 

I get the correct output and data that I want to see. But when I run the command to attach the returned value to an eval, it fails. I keep getting errors on doing this but I can't find something that will work like this. The testdata eval keeps failing. 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-08-2024 12:36 PM

Hi

have you try

| eval testdata = [| nslookupsearch dest_ip|return <your field name from command]

r. Ismo 

0 Karma
Reply

jdhart1312
Loves-to-Learn Everything
‎08-08-2024 12:55 PM

I tried that but I don't have a field name from my command. Do I need to set one or how does this work? Still new to understanding all of this. I got the command running but working in the commands.conf and default.meta files by calling the python/powershell files. Is this something I need to set somewhere?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-08-2024 12:58 PM
You could pipe it to rex and create a new field inside subsearch. Then just use this field with return.
0 Karma
Reply

jdhart1312
Loves-to-Learn Everything
‎08-12-2024 06:17 AM

Do you have an example of this? I'm trying to work through it but I can't get anything to work. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-12-2024 08:36 AM

It seems that splunk didn't support to use normal (custom) command return data to use as value for eval. I suppose that you must update your custom command to work as function to use it with eval.

What is your actual issue which you are trying to solve with this eval way? Maybe there is some other way to do it or otherwise you must create additional custom function or something similar.

0 Karma
Reply

jdhart1312
Loves-to-Learn Everything
‎08-14-2024 07:45 AM

I'm trying to call the nslookupsearch custom command. All that does is an nslookup for an IP or computer name. But I'm trying to use it in a search because some of the data we get ingested doesn't contain the information we need, so we implemented the custom command to be able to nslookup and populate a table with the data retrieved from the nslookupsearch. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-14-2024 12:13 PM
You didn’t tell why you are needing eval.
Can you show real output of your custom command?
0 Karma
Reply

jdhart1312
Loves-to-Learn Everything
‎08-14-2024 12:17 PM

I don't necessarily need the eval, I just need it to output to the extra field in the table. 

Output by running the custom command looks like the following: 

| nslookupsearch testcmd

Output example: 10.10.10.10

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...