Splunk Search

What's the bare minimum for extending the built-in search functionality?

stevebctr
Engager

I've read the concepts page, and a lot of the App Framework documentation over at dev.splunk.com. But I still don't have a good picture of what it takes to add the bare minimum functionality not supported within the default Splunk apps.

I know how to get all the DNS lookups in Splunk. I know how to write a bloom filter in Python and find all entries that aren't in the Alexa top 1,000,000 domains, with 99.99% accuracy and low memory/CPU requirements.

But I don't know how to get the results of that Splunk DNS lookup into my python script, and back into the output of a Splunk search. All the howtos and tutorials seem to be saying that I have to build a heavyweight MVC app to accomplish it; and it seems like there should be a much easier way.

Tags (4)
0 Karma
1 Solution

ChrisG
Splunk Employee
Splunk Employee

Not sure if this will help (or if you've already seen it), but have you looked at the documentation topic about custom search commands?

View solution in original post

ChrisG
Splunk Employee
Splunk Employee

Not sure if this will help (or if you've already seen it), but have you looked at the documentation topic about custom search commands?

gkanapathy
Splunk Employee
Splunk Employee

the dns lookup script is itself an example of a scripted python search command.

0 Karma

stevebctr
Engager

As far as I can tell, that's exactly what I was hoping existed. Thanks!
I'll come back for more if it turns out, later, that doesn't do it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...