Splunk Search
Highlighted

Custom Command to append to search

Path Finder

Currently I am trying to write a python script that I can use to permute the input. I then wish to use this as a command to generate my output.

What I want from the search app:
Run search "host= | permute 123"

Then my permute script will return "123 OR 132 OR 213 OR 231 OR 312 OR 321" so that my final search will be "host= 123 OR 132 OR 213 OR 231 OR 312 OR 321"

Is this sort of thing possible? I have been working on developing a view for an app to execute this in. My idea was to run the permute with the input given from a text field and then put the results of the permute into the next search. I have looked through many of the Splunk documentation and forums and cannot figure out what to do. I though $results$ would give me the results of the first search but this has not worked. Any ideas? Thanks!

0 Karma
Highlighted

Re: Custom Command to append to search

Super Champion

I think so. See this search reference for calling scripts in searches:

http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/script

View solution in original post

Highlighted

Re: Custom Command to append to search

Path Finder

So I ended up making a script for search, and put it in $SPLUNKHOME/etc/apps/search/bin. Then added the command to $SPLUNKHOME/etc/apps/search/local/commands.conf

I run a search such as:
host=* | permute 123

Then my script takes all of the results from host=* and searches them for all combinations of 123, 132, etc. and prints them out to the results in splunk. One important thing to note was that I had to set retains events to true in commands.conf for the results to show in Splunk with all of the preprocessed fields that I wanted.

0 Karma
Highlighted

Re: Custom Command to append to search

Communicator

You don't want to pipe all those results you don't need to the command, a subsearch makes more sense in this context, e.g.:

host=* [permute 123]

This would be a generating command:

http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/SearchScripts

0 Karma