Knowledge Management

Can I run a search command on data that is not in an index?

andrewtrobec
Motivator

Hello!

Is it possible to use the content of a text input token to run a search? So instead of:

index="my_index" | ...

i use

$token_text$ | ...

The goal here is to pass the text content to an external script and then be able to output a result. The text that needs to be analyzed, however, is not within an index, but is provided ad-hoc.

Is this possible?

Thanks!

Andrew

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

If you need to turn a carefully constructed string of text into "fake" events, check out this Q&A which describes exactly this:

https://answers.splunk.com/answers/265921/what-is-the-best-way-to-spoof-run-anywhere-fake-da.html#an...

View solution in original post

woodcock
Esteemed Legend

If you need to turn a carefully constructed string of text into "fake" events, check out this Q&A which describes exactly this:

https://answers.splunk.com/answers/265921/what-is-the-best-way-to-spoof-run-anywhere-fake-da.html#an...

andrewtrobec
Motivator

Perfect, thank you!

0 Karma

gfreitas
Builder

Hi, In this case you need to create a custom search command. You can find more information here: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2 and here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...