Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a custom where command

joepjisc
Path Finder
‎11-25-2020 10:42 AM

Hi,

I'm new to creating custom search commands, and haven't been able to understand the examples in the SDK repo on GitHub, if someone can point me to or provide a step by step guide to achieve the below that'd be really appreciated.

Problem: I need to filter my results to only include events where a field (cidr) is a subnet of a range entered on a dashboard ($search_cidr$).

As the builtin cidrmatch(CIDR, IP) only works with an IP and a CIDR range, I don't beleive I can do this natively, so I'm thinking a custom where command is the way to go, so I can do something like this in SPL:

| from datamodel:mymodel
| where SubnetOf(cidr, "$search_cidr$")

I've written a basic Python function in my apps bin directory to do the comparison, it takes either (IP, Subnet) or (Subnet. Subnet) and returns a boolean, however I don't know how to turn this into a filter for the where command to use.

 

#!/usr/bin/env python3
from ipaddress import ip_network


def SubnetOf(Needle, Haystack):
    try:
        Needle = ip_network(Needle)
        Haystack = ip_network(Haystack)
        return Needle.subnet_of(Haystack)
    except:
        return False

 

 

Any guidance to get me started would be great.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-25-2020 01:02 PM

AFAIK, the where command is not extensible.  You can do the equivalent with a custom command, though.

| from datamodel:mymodel
| SubnetOf needle=cidr haystack="$search_cidr$" result=foo
| where foo

You'll need to convert your script into a Splunk streaming command, though.  See dev.splunk.com for more.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-25-2020 01:02 PM

AFAIK, the where command is not extensible.  You can do the equivalent with a custom command, though.

| from datamodel:mymodel
| SubnetOf needle=cidr haystack="$search_cidr$" result=foo
| where foo

You'll need to convert your script into a Splunk streaming command, though.  See dev.splunk.com for more.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...