Splunk Search

Why do I get error message "Unknown search command" for my custom search command?

andrewtrobec
Motivator

Hello All,

I am using Splunk Enterprise 6.6.3 on Windows 10 and trying to get a custom search to work. I've followed this manual http://docs.splunk.com/Documentation/Splunk/6.6.3/Search/Writeasearchcommand along with various answer threads, but I cannot get it to work. I have a script that will calculate business hours between two timestamps. Splunk setup is as follows:

  • Custom python script totalbusinesshours.py is located in $SPLUNK_HOME/etc/apps/<app_name>/bin/
  • commands.conf located in $SPLUNK_HOME/etc/apps/<app_name>/local/ and encoded with UTF-8-BOM (like the other conf files) contains the following stanza:

    [totalbusinesshours]
    filename = totalbusinesshours.py

After restarting the server I run the following search:

* | totalbusinesshours StartTime EndTime

Which produces this error:

Search Factory: Unknown search command 'totalbusinesshours'.

I've also tried the following search:

* | script totalbusinesshours StartTime EndTime

but this produces a different error:

Error in 'script' command: The external search command 'totalbusinesshours' does not exist in commands.conf.

According to the documentation everything is set up correctly, but nothing works.

Am I missing something? Maybe some flag somewhere to enable the running of external search commands?

Any help would be greatly appreciated!

Thank you and best regards,

Andrew

Tags (1)
0 Karma

DavidHourani
Super Champion

Hi andrew,

Assuming your python script works and the splunk user has exec permissions. Did you configure commands.conf properly ? Can you post an extract here ?

Also check if you can see your command in : "Advanced search » Search commands". It could be that the permissions are set to app and you're trying to run it in another app.

Regards,
David

andrewtrobec
Motivator

@DavidHourani
Thanks for replying. The commands.conf file has a single stanza and looks like this:

[totalbusinesshours]
filename = totalbusinesshours.py

It is located in $SPLUNK_HOME/etc/apps/local/ and encoded with UTF-8-BOM (like the other conf files).

When I go to Advanced search » Search commands, I do not see an entry.

0 Karma

DavidHourani
Super Champion

Splunk has the read/exec permission on the script ? Sorry for asking obvious questions but it could be the reason

0 Karma

andrewtrobec
Motivator

@DavidHourani
I'm running Splunk 6.6.3 on Windows 10. The splunkd service is running with local system account that has admin rights, and AFAIK it has all permissions.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...