Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Adding python script to search app
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have python script I want to add to the search app in splunk 5.0.3, I found some documentation: http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/AddthecustomcommandtoSplunk
Now to make sure I am doing things correctly I copied the uniq.py and called it test.py and modified the commands.conf all in the $SPLUNK_HOME/etc/apps/search folder.
After restarting splunk I can see the script in: Manager > Advanced search > Search commands
However when I tried to use it I get an error:
Error in 'test' command: This command must be the first command of a search.
Meanwhile uniq work fine, obviously since that was built into splunk.
Thank you,
Brian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I was able to get my custom python script to work however I needed to do the following:
- Add my script to the $SPLUNK_HOME/etc/system/bin directory
- Modify the $SPLUNK_HOME/etc/system/default/transforms.conf to include the fields:
[myscript]
external_cmd = myscript.py InputField OutputField
fields_list = InputField OutputField
- Use my script as follows:
{My Search} |lookup myscript InputField as SearchField |table OutputField
Thank you,
Brian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I was able to get my custom python script to work however I needed to do the following:
- Add my script to the $SPLUNK_HOME/etc/system/bin directory
- Modify the $SPLUNK_HOME/etc/system/default/transforms.conf to include the fields:
[myscript]
external_cmd = myscript.py InputField OutputField
fields_list = InputField OutputField
- Use my script as follows:
{My Search} |lookup myscript InputField as SearchField |table OutputField
Thank you,
Brian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are you calling the command? Your search should have a leading pipe and your command being the first command; something like:
| test
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, when I do {my search} | uniq I get my expected results however when I do {my search} | test I get:
Error in 'test' command: This command must be the first command of a search.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
