Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I avoid using an eval for a fixed value parameter in a custom command?

andrewtrobec
Motivator
‎03-25-2020 02:38 AM

Hello,

I have a custom command, let's call it customcommand. This command takes two parameters, parameter1 and parameter2.

parameter1 should be a fixed value, fixedvalue, while parameter2 comes from a field in the search. In order to get the custom command working, I am currently using an eval before the custom command to fix the value for parameter1. It looks like this:

...
| eval parameter1 = "fixedvalue"
| customcommand parameter1 parameter2
...

Is there a way of setting parameter1 directly in the customcommand call? Something like:

| customcommand parameter1="fixedvalue" parameter2

I added supports_rawargs = true to my commands.conf, but it doesn't seem to resolve.

Can somebody point me in the right direction?

Thanks!

Andrew

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

andrewtrobec
Motivator
‎03-29-2020 01:24 AM

Figured it out finally, was quite obvious in the end. Anyways, here is a snippet that should help anyone who comes across the same problem. I used Intersplunk library and the difference is between a keyword and an option:

keywords, options = splunk.Intersplunk.getKeywordsAndOptions()
...
parameter1 = str(options.get("parameter1","NULL"))
parameter2 = str(result[keywords[0]])
...

Custom command can then be invoked like this:

| customcommand parameter1=fixedvalue parameter2

Hope this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

andrewtrobec
Motivator
‎03-29-2020 01:24 AM

Figured it out finally, was quite obvious in the end. Anyways, here is a snippet that should help anyone who comes across the same problem. I used Intersplunk library and the difference is between a keyword and an option:

keywords, options = splunk.Intersplunk.getKeywordsAndOptions()
...
parameter1 = str(options.get("parameter1","NULL"))
parameter2 = str(result[keywords[0]])
...

Custom command can then be invoked like this:

| customcommand parameter1=fixedvalue parameter2

Hope this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...