Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Custom Command to append to search

emccaslin
Path Finder
‎02-27-2014 11:36 AM

Currently I am trying to write a python script that I can use to permute the input. I then wish to use this as a command to generate my output.

What I want from the search app:
Run search "host= | permute 123"

Then my permute script will return "123 OR 132 OR 213 OR 231 OR 312 OR 321" so that my final search will be "host= 123 OR 132 OR 213 OR 231 OR 312 OR 321"

Is this sort of thing possible? I have been working on developing a view for an app to execute this in. My idea was to run the permute with the input given from a text field and then put the results of the permute into the next search. I have looked through many of the Splunk documentation and forums and cannot figure out what to do. I though $results$ would give me the results of the first search but this has not worked. Any ideas? Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎02-27-2014 11:45 AM

I think so. See this search reference for calling scripts in searches:

http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/script

View solution in original post

Reply
Solved! Jump to solution

kaufmanm
Communicator
‎02-27-2014 12:13 PM

You don't want to pipe all those results you don't need to the command, a subsearch makes more sense in this context, e.g.:

host=* [permute 123]

This would be a generating command:

http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/SearchScripts

0 Karma
Reply
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎02-27-2014 11:45 AM

I think so. See this search reference for calling scripts in searches:

http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/script

Reply
Solved! Jump to solution

emccaslin
Path Finder
‎04-04-2014 09:43 AM

So I ended up making a script for search, and put it in $SPLUNK_HOME/etc/apps/search/bin. Then added the command to $SPLUNK_HOME/etc/apps/search/local/commands.conf

I run a search such as:
host=* | permute 123

Then my script takes all of the results from host=* and searches them for all combinations of 123, 132, etc. and prints them out to the results in splunk. One important thing to note was that I had to set retains events to true in commands.conf for the results to show in Splunk with all of the preprocessed fields that I wanted.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...