Hi,
Im building my first own Splunk app with python. Now I'm asking if it's possible to execute Splunk SPL with the records I receive?
An example:
| input lookup data.csv | fields computer user bytes location | mycommand
Now "mycommand" receives the data in a python script.
Python -> execute "| where bytes > 7000"
Now the command should return the data.csv with bytes higher than 7000. The filtering was executed on the app.
Thanks for your help!
Hi @randomforests09
You can refer the following links for help in building a custom command:
http://dev.splunk.com/view/SP-CAAAFFT
http://dev.splunk.com/view/custom-spl/SP-CAAAFG3
What I suggest is, you form the whole query directly in your python script. Then execute the search from the script itself.
you will find a few examples here: http://dev.splunk.com/view/python-sdk/SP-CAAAEE5
Do let me know if that helps.
You may get more mileage out of an existing solution in Splunk by using a search macro instead a python script to execute more SPL. Check out a previously solved answer where a macro is created that takes in a token which passes through the value to the SPL: https://answers.splunk.com/answers/747953/can-i-execute-several-functions-with-a-single-perh.html#an...
Your example would then be this using the logic in that solution:
| inputlookup data.csv
| fields computer user bytes location
| ` mycommand(7000)`