Splunk Search

Custom search command simple example?

arubi2
Explorer

I've read the docs and iterated many times to try to get a simple command to work which pipes events to it.

Example: index=idx1 | myCommand

Inside of myCommand.py, I want the results of the query.

The docs I've tried to follow: http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Writeasearchcommand (the csv is always coming back blank), http://docs.splunk.com/Documentation/Splunk/6.2.3/AdvancedDev/Searchscripts (the example seems to only handle things passed in after the command, like "index=idx1 | myCommand -f -r")

I think there's possibly a disconnect between what should be in commands.conf and what the proper splunk.InterSplunk command is to use with it. Of course, I'm fine with scouring a csv for the info as well. So, the example would be how to properly make a search which uses the command, the correct commands.conf, where it should live (I put mine into an app), how to trigger it (I saw potentially some issues with user permissions if this lives in an app?), and the script itself. Would be awesome if the script just dumped the input to a file, or even back into splunk is fine (if it's really easy to show the round trip).

I'm also confused as to when to use this method vs. when to call a script via a scheduled search and then parse $ARG_8 instead.

Sorry this is a bit long-winded...just wanted to try to get something out there which can really help the community (this keeps coming up).

frobinson_splun
Splunk Employee
Splunk Employee

Hi again, @arubi2!
Just following up to offer some ideas after consulting with our engineers. It sounds like it might be best for you to use the Python SDK rather than work on direct integration using intersplunk. Here's a link to some of our developer documentation for custom search commands with the Python SDK:
http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

I hope these might help! Please let me know either way and we can continue to try and help with your questions.

Best,
@frobinson_splunk

arubi2
Explorer

Answers greatly appreciated! I will head down the Python SDK path. I did manage to make some progress in using perl by simply taking in STDIN (and obviously using commands.conf to set that up):

myCommand.pl:

#!/usr/bin/perl

my $testFileName = 'params.txt';
open(my $fh, '>', $testFileName) or die "could not open";
print $fh <STDIN>;
close $fh;
exit 0;

commands.conf (inside of an empty app):

[myCommand]
filename = myCommand.pl
type = perl
local = true
enableheader = false
retainsevents = true
streaming = false

Maybe you guys can make reference to the fact that the two other pages which also outline how to make a custom command are essentially deprecated and you should instead use the method you refer to? Feel free to use this example if someone else wants to use perl (it's not my preference...I was just trying anything/everything). I would assume the "trick" which isn't mentioned in the docs is to simply use STDIN (and not a param passed in), whether this is in python or perl (or anything else for that matter).

frobinson_splun
Splunk Employee
Splunk Employee

Thank you, @arubi2! This additional info is very helpful. You are right that the Python SDK is the preferred method and the docs should reflect that. We will work to reroute users to the Python SDK docs in our other manuals. Thank you for the example and the STDIN tip!

Cheers,
@frobinson_splunk

frobinson_splun
Splunk Employee
Splunk Employee

Hi @arubi2!
I am a tech writer here at Splunk, working with another writer to figure out this question. We're starting to look into this and I wanted to know if you have already looked at the commands.conf spec file in our documentation? You might already have done so, but if not, here's a link:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Commandsconf

We'll continue working on this. Feel free to let us know if you have further questions or comments.

Thanks!

arubi2
Explorer

Yes, used this as a guide to provide the answer to this question (below). However, that page does not provide any concrete examples and leaves many terms very ambiguous. Example:

streaming = [true|false]
    * Specify whether the command is streamable.
    * Defaults to false.

As you can see, not very helpful. There's an awful lot of that in this document. After much googling and finding other people's answers, you can eventually (kinda) figure it out, but it's cumbersome to say the least.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...