Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Calling Custom Commands and returning data to an Eval

jdhart1312
Loves-to-Learn Everything
‎08-08-2024 12:21 PM

I have a custom command that calls a script for nslookup and returns the data to splunk. All of it is working but I want to use this custom command in Splunk to return the data to an eval and output that into a table. For example, the search string would look something like the following: 

 

index="*" 
| iplocation src_ip
| eval testdata = | nslookupsearch dest_ip
| table testdata _time
| sort - _time

 

NOTE: This is not the exact search string, this is just a mock string.

When I run:

 

| nslookupsearch Record_Here

 

I get the correct output and data that I want to see. But when I run the command to attach the returned value to an eval, it fails. I keep getting errors on doing this but I can't find something that will work like this. The testdata eval keeps failing. 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-08-2024 12:36 PM

Hi

have you try

| eval testdata = [| nslookupsearch dest_ip|return <your field name from command]

r. Ismo 

0 Karma
Reply

jdhart1312
Loves-to-Learn Everything
‎08-08-2024 12:55 PM

I tried that but I don't have a field name from my command. Do I need to set one or how does this work? Still new to understanding all of this. I got the command running but working in the commands.conf and default.meta files by calling the python/powershell files. Is this something I need to set somewhere?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-08-2024 12:58 PM
You could pipe it to rex and create a new field inside subsearch. Then just use this field with return.
0 Karma
Reply

jdhart1312
Loves-to-Learn Everything
‎08-12-2024 06:17 AM

Do you have an example of this? I'm trying to work through it but I can't get anything to work. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-12-2024 08:36 AM

It seems that splunk didn't support to use normal (custom) command return data to use as value for eval. I suppose that you must update your custom command to work as function to use it with eval.

What is your actual issue which you are trying to solve with this eval way? Maybe there is some other way to do it or otherwise you must create additional custom function or something similar.

0 Karma
Reply

jdhart1312
Loves-to-Learn Everything
‎08-14-2024 07:45 AM

I'm trying to call the nslookupsearch custom command. All that does is an nslookup for an IP or computer name. But I'm trying to use it in a search because some of the data we get ingested doesn't contain the information we need, so we implemented the custom command to be able to nslookup and populate a table with the data retrieved from the nslookupsearch. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-14-2024 12:13 PM
You didn’t tell why you are needing eval.
Can you show real output of your custom command?
0 Karma
Reply

jdhart1312
Loves-to-Learn Everything
‎08-14-2024 12:17 PM

I don't necessarily need the eval, I just need it to output to the extra field in the table. 

Output by running the custom command looks like the following: 

| nslookupsearch testcmd

Output example: 10.10.10.10

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...