Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I get this error when I try to use my custom search command: "Search Factory: Unknown search command"

thisissplunk
Builder
‎11-03-2017 04:59 PM

I installed my custom search command by following this guide: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Basically the steps are:
1. Create your script
2. Install it into your app's bin directory
3. Edit the app's commands.conf file
4. Restart splunk

I did this, and this worked on an older instance of splunk we have, which is just a searchead and indexer all-in-one. However, on our new clustered instance I'm getting the error in the title from all of the peers when I try to invoke the command.

Is there another step here for clustered environments or something? I installed it on the search head and restarted splunk enterprise from the CLI there. It seems like the indexers aren't getting the file or something. This is a streaming command as well.

Edit: The command works fine when local = true in the commands.conf. However I do not want this. It must be some kind of replication or bundle issue then, right?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thisissplunk
Builder
‎11-03-2017 06:44 PM

Seems like it's a bug related to older search commands and deploying them with bundles on 6.5 and above: https://answers.splunk.com/answers/507618/unknown-search-command-base64.html

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thisissplunk
Builder
‎11-03-2017 06:44 PM

Seems like it's a bug related to older search commands and deploying them with bundles on 6.5 and above: https://answers.splunk.com/answers/507618/unknown-search-command-base64.html

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎11-04-2017 08:05 AM

i’m not sure its a bug or just a behavioural change..i worked with another dev with custom command, and it just seems the “new way” is to deploy ur app to the sh AND the index peers. I chalked it up to bundle enhancements but will try and circle back on it

- MattyMo
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...