Splunk Search

Why do I get this error when I try to use my custom search command: "Search Factory: Unknown search command"

Builder

I installed my custom search command by following this guide: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Basically the steps are:
1. Create your script
2. Install it into your app's bin directory
3. Edit the app's commands.conf file
4. Restart splunk

I did this, and this worked on an older instance of splunk we have, which is just a searchead and indexer all-in-one. However, on our new clustered instance I'm getting the error in the title from all of the peers when I try to invoke the command.

Is there another step here for clustered environments or something? I installed it on the search head and restarted splunk enterprise from the CLI there. It seems like the indexers aren't getting the file or something. This is a streaming command as well.

Edit: The command works fine when local = true in the commands.conf. However I do not want this. It must be some kind of replication or bundle issue then, right?

0 Karma
1 Solution

Builder

Seems like it's a bug related to older search commands and deploying them with bundles on 6.5 and above: https://answers.splunk.com/answers/507618/unknown-search-command-base64.html

View solution in original post

0 Karma

Builder

Seems like it's a bug related to older search commands and deploying them with bundles on 6.5 and above: https://answers.splunk.com/answers/507618/unknown-search-command-base64.html

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

i’m not sure its a bug or just a behavioural change..i worked with another dev with custom command, and it just seems the “new way” is to deploy ur app to the sh AND the index peers. I chalked it up to bundle enhancements but will try and circle back on it

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!