Splunk Search

How to pass parameters in custom search command without field camp?


How can i run a search command passing an argument to python script via sys.argv?

My script:

import requests
import sys
import json
from splunklib.searchcommands import \
 dispatch, GeneratingCommand, Configuration, Option, validators

class GenerateHelloCommand(GeneratingCommand):

    id = Option(require=True, validate=validators.Integer())

    def generate(self):

        site = "https://link/api/link.json?id=" + str(self.id) + "&username=x2&passhash=x"
        response = requests.get(site, timeout=10)
        filtro = json.loads(response.text)
        filt = filtro["sensordata"]["statustext"]
        yield {'ID' : str(self.id), 'STATUS' : filt}

dispatch(GenerateHelloCommand, sys.argv, sys.stdin, sys.stdout, __name__)

Currently i run my command like this:

| comando id=11249

and it work, but I would like to run my command like this:

| comando 11249

Such that i get 11249 into the python script like a variable. Example:

ID = arg.sysv[1]

My commands.conf:


Can someone help me?

0 Karma


I am using Python SDK. Watch "self.fieldname" routine. My command will have one argument - existing field from previous search (message_subject). With the code below I was successfull passing value from any field I add as an argument to SPL commmand: e.g. "| mimedecode message_subject"

I got inspiration from:



class decodemimeCommand(StreamingCommand):
    def stream(self, records):
    # get the argument - fieldname with mime-encoded string 
    message_subject = self.fieldnames[0]

    for record in records:
        record['message_subject_decoded'] = main(record[message_subject])
        yield record

if __name__ == "__main__":
    dispatch(decodemimeCommand, sys.argv, sys.stdin, sys.stdout, __name__)



0 Karma

Esteemed Legend
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...