Splunk Search

Why do I get this error when I try to use my custom search command: "Search Factory: Unknown search command"

Builder

I installed my custom search command by following this guide: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Basically the steps are:
1. Create your script
2. Install it into your app's bin directory
3. Edit the app's commands.conf file
4. Restart splunk

I did this, and this worked on an older instance of splunk we have, which is just a searchead and indexer all-in-one. However, on our new clustered instance I'm getting the error in the title from all of the peers when I try to invoke the command.

Is there another step here for clustered environments or something? I installed it on the search head and restarted splunk enterprise from the CLI there. It seems like the indexers aren't getting the file or something. This is a streaming command as well.

Edit: The command works fine when local = true in the commands.conf. However I do not want this. It must be some kind of replication or bundle issue then, right?

0 Karma
1 Solution

Builder

Seems like it's a bug related to older search commands and deploying them with bundles on 6.5 and above: https://answers.splunk.com/answers/507618/unknown-search-command-base64.html

View solution in original post

0 Karma

Builder

Seems like it's a bug related to older search commands and deploying them with bundles on 6.5 and above: https://answers.splunk.com/answers/507618/unknown-search-command-base64.html

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

i’m not sure its a bug or just a behavioural change..i worked with another dev with custom command, and it just seems the “new way” is to deploy ur app to the sh AND the index peers. I chalked it up to bundle enhancements but will try and circle back on it

0 Karma