I have written my own custom generating command in Splunk which connects to our API and fetches threat details of a domain/ip. The syntax of the command is as follows:

| snxhostreputation host=

e.g. snxhostreputation host=www.google.com

This command generates one event for one domain but what I want to achieve is that, I should be able to pass multiple domains to this generating command and correspondingly generate events on each request to the API. The intended use-case is that users should be able to pass all domains present in their log data and get the information in the form of events. Now, as the generating command must be the very first command in a search, I cannot use any other command behind it to pass it data.

What can I do to achieve my use-case? So far, I have considered changing it to a streaming search command but I am not sure how would I achieve the same there as I also want the command to work for a single value as well as a list of values. Any tips to achieve this?