Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I use results from a search in my custom co...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I use results from a search in my custom command?
sjoerdcopier
Explorer
08-03-2016
12:14 PM
I'm trying to use data from a search in a custom command.
source | scrapy url=uri
This gives me the following error:
Error in 'scrapy' command: This command must be the first command of a search.
It works when I use it as follows:
| scrapy url="www.splunk.com"
How can I make it work in combination with my search index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
08-03-2016
01:49 PM
Hi sjoerdcopier,
the important thing is to import the splunk.Intersplunk module in your script:
import splunk.Intersplunk
and read the results from the search into your script:
myresults,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() # getting search results form Splunk
for r in myresults: # loop the results
This way your script can pick up fields from the previous search results and it should work as expected if your search results contain a field called url (just rename uri to url) or change your script to use uri instead of url.
The link posted by @somesoni2 provides useful information as well.
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sjoerdcopier
Explorer
08-04-2016
05:14 AM
Thanks MuS for your awnser,
I can't seem to get this right. Could you be so kind to help me out with an easy example?
import splunk.Intersplunk
# GET DATA FROM SEARCH
myresults,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
# ILL DO SOME FANCY STUFF HERE
# SEND DATA BACK
Thanks for helping out here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
08-04-2016
01:25 PM
Take a look at the docs, as usual everything you need is in there 😉
This http://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Customsearchcommandshape will show an excellent example of a custom command which will use the previous search results, do stuff with it and return something to Splunk.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-03-2016
12:36 PM
Since your second search (| scrapy url="www.splunk.com")works, It seems like you've a custom "Generating" search command which is generating the results.
For a custom search command to work with your first syntax ( source | scrapy url=uri), it should be a non-generating command. See definitions of customer search commands here
http://dev.splunk.com/view/python-sdk/SP-CAAAEU2
Get Updates on the Splunk Community!
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
4 Ways the Splunk Community Helps You Prepare for .conf25
.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
