Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk Custom Search Command: Why is it showin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have written a python script whose purpose is to add a line to a file every time the specified command is called in Splunk. I created the script and added the command to the local commands.conf file.
When I go into my Splunk environment, I can see that this command is listed under the "Settings --> All Configurations"; However, when I try to run this command from the app, I get the following message: "Search Factory: Unknown search command 'printlog'."
Python Script (saved in \Splunk\etc\apps\search\bin)
import sys,splunk.Intersplunk
import datetime
results = []
try:
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
now = datetime.datetime.now()
with open('C:/testfile.txt','a') as openfile:
openfile.write(str(now)+'\n')
openfile.close()
except:
import traceback
stack = traceback.format_exc()
results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))
splunk.Intersplunk.outputResults( results )
Commands.conf edit (saved in C:\Splunk\etc\apps\search\local)
[printLog]
filename = printLog.py
type = python
local = True
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have printLog in your commands.conf and printlog in your error message (capital L vs lowercase l). Is this perhaps a case of, well, case?
Adding to this answer after doing some testing.
I ran into the same issue when trying to define your search command as printLog, but it works when I make it printlog, including in commands.conf:
[printlog]
filename = printLog.py
I think search commands are actually case insensitive in the search bar, but they are all converted to lowercase to find the actual search command. So if you | WHERE, splunk looks for the search command where.
In addition to solving that issue, I strongly suggest you look at using the SDK for custom search commands instead of Intersplunk. This is advised by Splunk for new search commands. As a starting point, this snippet may accomplish what your script aims to do, but using the SDK:
printLog.py:
from splunklib.searchcommands import dispatch, EventingCommand, Configuration, Option
from splunklib.searchcommands.validators import Code
import sys
@Configuration()
class PrintLogCommand(EventingCommand):
def transform(self, records):
now = datetime.datetime.now()
with open('C:/testfile.txt','a') as openfile:
openfile.write(str(now)+'\n')
openfile.close()
for record in records:
yield record
dispatch(PrintLogCommand, sys.argv, sys.stdin, sys.stdout, __name__)
commands.conf:
[printlog]
filename = printLog.py
chunked = true
You would also need to copy splunklib from the python SDK into the bin directory for this to work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have printLog in your commands.conf and printlog in your error message (capital L vs lowercase l). Is this perhaps a case of, well, case?
Adding to this answer after doing some testing.
I ran into the same issue when trying to define your search command as printLog, but it works when I make it printlog, including in commands.conf:
[printlog]
filename = printLog.py
I think search commands are actually case insensitive in the search bar, but they are all converted to lowercase to find the actual search command. So if you | WHERE, splunk looks for the search command where.
In addition to solving that issue, I strongly suggest you look at using the SDK for custom search commands instead of Intersplunk. This is advised by Splunk for new search commands. As a starting point, this snippet may accomplish what your script aims to do, but using the SDK:
printLog.py:
from splunklib.searchcommands import dispatch, EventingCommand, Configuration, Option
from splunklib.searchcommands.validators import Code
import sys
@Configuration()
class PrintLogCommand(EventingCommand):
def transform(self, records):
now = datetime.datetime.now()
with open('C:/testfile.txt','a') as openfile:
openfile.write(str(now)+'\n')
openfile.close()
for record in records:
yield record
dispatch(PrintLogCommand, sys.argv, sys.stdin, sys.stdout, __name__)
commands.conf:
[printlog]
filename = printLog.py
chunked = true
You would also need to copy splunklib from the python SDK into the bin directory for this to work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked this, but it looks like no matter what case I use in the command line, the error message changes it to all lowercase. Did you notice any other mistakes in my method that might have caused this error?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much. I experienced a different error once I fixed the first, but by using the python SDK method you suggested, it worked perfectly!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated answer after testing.
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
