Splunk Search
Highlighted

Why do I get this error when I try to use my custom search command: "Search Factory: Unknown search command"

Builder

I installed my custom search command by following this guide: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Basically the steps are:
1. Create your script
2. Install it into your app's bin directory
3. Edit the app's commands.conf file
4. Restart splunk

I did this, and this worked on an older instance of splunk we have, which is just a searchead and indexer all-in-one. However, on our new clustered instance I'm getting the error in the title from all of the peers when I try to invoke the command.

Is there another step here for clustered environments or something? I installed it on the search head and restarted splunk enterprise from the CLI there. It seems like the indexers aren't getting the file or something. This is a streaming command as well.

Edit: The command works fine when local = true in the commands.conf. However I do not want this. It must be some kind of replication or bundle issue then, right?

0 Karma
Highlighted

Re: Why do I get this error when I try to use my custom search command: "Search Factory: Unknown search command"

Builder

Seems like it's a bug related to older search commands and deploying them with bundles on 6.5 and above: https://answers.splunk.com/answers/507618/unknown-search-command-base64.html

View solution in original post

0 Karma
Highlighted

Re: Why do I get this error when I try to use my custom search command: "Search Factory: Unknown search command"

Influencer

i’m not sure its a bug or just a behavioural change..i worked with another dev with custom command, and it just seems the “new way” is to deploy ur app to the sh AND the index peers. I chalked it up to bundle enhancements but will try and circle back on it

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.