Splunk Search

Custom search command simple example?


I've read the docs and iterated many times to try to get a simple command to work which pipes events to it.

Example: index=idx1 | myCommand

Inside of myCommand.py, I want the results of the query.

The docs I've tried to follow: http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Writeasearchcommand (the csv is always coming back blank), http://docs.splunk.com/Documentation/Splunk/6.2.3/AdvancedDev/Searchscripts (the example seems to only handle things passed in after the command, like "index=idx1 | myCommand -f -r")

I think there's possibly a disconnect between what should be in commands.conf and what the proper splunk.InterSplunk command is to use with it. Of course, I'm fine with scouring a csv for the info as well. So, the example would be how to properly make a search which uses the command, the correct commands.conf, where it should live (I put mine into an app), how to trigger it (I saw potentially some issues with user permissions if this lives in an app?), and the script itself. Would be awesome if the script just dumped the input to a file, or even back into splunk is fine (if it's really easy to show the round trip).

I'm also confused as to when to use this method vs. when to call a script via a scheduled search and then parse $ARG_8 instead.

Sorry this is a bit long-winded...just wanted to try to get something out there which can really help the community (this keeps coming up).

Splunk Employee
Splunk Employee

Hi again, @arubi2!
Just following up to offer some ideas after consulting with our engineers. It sounds like it might be best for you to use the Python SDK rather than work on direct integration using intersplunk. Here's a link to some of our developer documentation for custom search commands with the Python SDK:

I hope these might help! Please let me know either way and we can continue to try and help with your questions.



Answers greatly appreciated! I will head down the Python SDK path. I did manage to make some progress in using perl by simply taking in STDIN (and obviously using commands.conf to set that up):



my $testFileName = 'params.txt';
open(my $fh, '>', $testFileName) or die "could not open";
print $fh <STDIN>;
close $fh;
exit 0;

commands.conf (inside of an empty app):

filename = myCommand.pl
type = perl
local = true
enableheader = false
retainsevents = true
streaming = false

Maybe you guys can make reference to the fact that the two other pages which also outline how to make a custom command are essentially deprecated and you should instead use the method you refer to? Feel free to use this example if someone else wants to use perl (it's not my preference...I was just trying anything/everything). I would assume the "trick" which isn't mentioned in the docs is to simply use STDIN (and not a param passed in), whether this is in python or perl (or anything else for that matter).

Splunk Employee
Splunk Employee

Thank you, @arubi2! This additional info is very helpful. You are right that the Python SDK is the preferred method and the docs should reflect that. We will work to reroute users to the Python SDK docs in our other manuals. Thank you for the example and the STDIN tip!


Splunk Employee
Splunk Employee

Hi @arubi2!
I am a tech writer here at Splunk, working with another writer to figure out this question. We're starting to look into this and I wanted to know if you have already looked at the commands.conf spec file in our documentation? You might already have done so, but if not, here's a link:

We'll continue working on this. Feel free to let us know if you have further questions or comments.



Yes, used this as a guide to provide the answer to this question (below). However, that page does not provide any concrete examples and leaves many terms very ambiguous. Example:

streaming = [true|false]
    * Specify whether the command is streamable.
    * Defaults to false.

As you can see, not very helpful. There's an awful lot of that in this document. After much googling and finding other people's answers, you can eventually (kinda) figure it out, but it's cumbersome to say the least.

Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...