Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Python custom event generating commands to behave like macros

leecaf
Explorer
‎05-23-2013 11:00 AM

Given that macros lack the ability to take variable length arguments or parse a single arg into several args. what I'd like to do is create custom event generating commands in python that execute searches underneath the hood. a simple example would be a SQL 'in' syntax generator.

sqlIn( Id, 11, 33, 44 ) # where no of args can vary

would execute the search below and return the events in splunk UI or piped to subsequent commands. 

index=* ( Id=11 OR Id=33 OR Id=44 )

The best way I can think of doing this is the create a event-generating command and execute the search via the rest API ( which seems clunky ) is there a way execute a search from the splunk search head calling this py script without having to infer the REST URL with env variables etc?

Even better

I'd like to be able to generate macro text from Python functions which when added to the /bin directory can be used like a normal macro.

Tags (2)
0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎06-07-2013 01:14 AM

You can do this using an macro with a subsearch.

If you create a search field in your subsearch it will expand out into a search, and you can use replace to format your string correctly, like so:

index=_internal metrics [ stats count | eval test="per_host_thruput,per_index_thruput" | eval search = "group=" + replace(test,",", " OR group=") ]

Which could be converted into a macro which specified the variable fields, and the field name.

You can also do this be creating a python script that returns a field called search, and then call it inside a subsearch.

Reply

yannK
Splunk Employee
Splunk Employee
‎06-05-2013 04:48 PM

You can create a custom search command calling a script.
see http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Writeasearchcommand

then have the script call a search using the REST API, or a simple the CLI search command.
for the CLI see http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CLIsearchsyntax

0 Karma
Reply

leecaf
Explorer
‎06-06-2013 08:15 AM

Think you've missed my point. I want to write a event generating command which will run a search and return some data from the splunk UI. not CLI specific.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...