Knowledge Management

Calling Custom Commands and returning data to an Eval

jdhart1312
Loves-to-Learn Everything

I have a custom command that calls a script for nslookup and returns the data to splunk. All of it is working but I want to use this custom command in Splunk to return the data to an eval and output that into a table. For example, the search string would look something like the following: 

 

index="*" 
| iplocation src_ip
| eval testdata = | nslookupsearch dest_ip
| table testdata _time
| sort - _time

 

NOTE: This is not the exact search string, this is just a mock string.

When I run:

 

| nslookupsearch Record_Here

 

I get the correct output and data that I want to see. But when I run the command to attach the returned value to an eval, it fails. I keep getting errors on doing this but I can't find something that will work like this. The testdata eval keeps failing. 

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

have you try

| eval testdata = [| nslookupsearch dest_ip|return <your field name from command]

r. Ismo 

0 Karma

jdhart1312
Loves-to-Learn Everything

I tried that but I don't have a field name from my command. Do I need to set one or how does this work? Still new to understanding all of this. I got the command running but working in the commands.conf and default.meta files by calling the python/powershell files. Is this something I need to set somewhere?

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You could pipe it to rex and create a new field inside subsearch. Then just use this field with return.
0 Karma

jdhart1312
Loves-to-Learn Everything

Do you have an example of this? I'm trying to work through it but I can't get anything to work. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

It seems that splunk didn't support to use normal (custom) command return data to use as value for eval. I suppose that you must update your custom command to work as function to use it with eval.

What is your actual issue which you are trying to solve with this eval way? Maybe there is some other way to do it or otherwise you must create additional custom function or something similar.

0 Karma

jdhart1312
Loves-to-Learn Everything

I'm trying to call the nslookupsearch custom command. All that does is an nslookup for an IP or computer name. But I'm trying to use it in a search because some of the data we get ingested doesn't contain the information we need, so we implemented the custom command to be able to nslookup and populate a table with the data retrieved from the nslookupsearch. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You didn’t tell why you are needing eval.
Can you show real output of your custom command?
0 Karma

jdhart1312
Loves-to-Learn Everything

I don't necessarily need the eval, I just need it to output to the extra field in the table. 

Output by running the custom command looks like the following: 

| nslookupsearch testcmd

Output example: 10.10.10.10

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...