Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I use results from a search in my custom command?

sjoerdcopier
Explorer
‎08-03-2016 12:14 PM

I'm trying to use data from a search in a custom command.

source | scrapy url=uri

This gives me the following error:

Error in 'scrapy' command: This command must be the first command of a search.

It works when I use it as follows:

| scrapy url="www.splunk.com"

How can I make it work in combination with my search index?

Reply

MuS
SplunkTrust
SplunkTrust
‎08-03-2016 01:49 PM

Hi sjoerdcopier,

the important thing is to import the splunk.Intersplunk module in your script:

import splunk.Intersplunk

and read the results from the search into your script:

myresults,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() # getting search results form Splunk
     for r in myresults: # loop the results

This way your script can pick up fields from the previous search results and it should work as expected if your search results contain a field called url (just rename uri to url) or change your script to use uri instead of url.

The link posted by @somesoni2 provides useful information as well.

Hope this helps ...

cheers, MuS

Reply

sjoerdcopier
Explorer
‎08-04-2016 05:14 AM

Thanks MuS for your awnser,
I can't seem to get this right. Could you be so kind to help me out with an easy example?

   import splunk.Intersplunk

    # GET DATA FROM SEARCH
    myresults,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() 

    # ILL DO SOME FANCY STUFF HERE

    # SEND DATA BACK

Thanks for helping out here.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎08-04-2016 01:25 PM

Take a look at the docs, as usual everything you need is in there 😉

This http://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Customsearchcommandshape will show an excellent example of a custom command which will use the previous search results, do stuff with it and return something to Splunk.

cheers, MuS

0 Karma
Reply

somesoni2
Revered Legend
‎08-03-2016 12:36 PM

Since your second search (| scrapy url="www.splunk.com")works, It seems like you've a custom "Generating" search command which is generating the results.
For a custom search command to work with your first syntax ( source | scrapy url=uri), it should be a non-generating command. See definitions of customer search commands here
http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!