Can you please elaborate? I'm having the same problem, but this isn't enough to help me fix my problem. I'm finding the documentation on writing custom commands pretty sparse. ... View more

I was also looking to answer this question. Much of the documentation that exists is for version 1 of the custom search command protocol, which was deprecated in Splunk 6.4.0. I posted an example here: https://answers.splunk.com/answers/434017/how-to-get-session-key-in-a-search-script-script-s.html#answer-740645 ... View more

It would be interesting to test different searches, index segmentation options, indexed field settings, etc. and be able to accurately determine how many I/Os are required to return results. This is almost exactly my use case. Firewall logs have so much repeated data that their cardinality is low (I think... I sometime get those reversed). I'm trying to determine what the best solution to make them faster is: index-time field extraction, data models, segmenters, etc. ... View more

Just found CLONE_SOURCETYPE today in transforms.conf.spec: http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf Sounds like it might be what you need (see excerpts below): CLONE_SOURCETYPE = <string> * If CLONE_SOURCETYPE is used as part of a transform, the transform will create a modified duplicate event, for all events that the transform is applied to via normal props.conf rules. * Use this feature if you need to store both the original and a modified form of the data in your system, or if you want to send the original and a modified form to different outbound systems. * A typical example would be to retain sensitive information according to one policy and a version with the sensitive information removed according to another policy. For example, some events may have data that you must retain for 30 days (such as personally identifying information) and only 30 days with restricted access, but you need that event retained without the sensitive data for a longer time with wider access. Then in the examples: [hide-ip-address] # Make a clone of an event with the sourcetype masked_ip_address. The clone # will be modified; its text changed to mask the ip address. # The cloned event will be further processed by index-time transforms and # SEDCMD expressions according to its new sourcetype. # In most scenarios an additional transform would be used to direct the # masked_ip_address event to a different index than the original data. REGEX = ^(.*?)src=\d+\.\d+\.\d+\.\d+(.*)$ FORMAT = $1src=XXXXX$2 DEST_KEY = _raw CLONE_SOURCETYPE = masked_ip_addresses ... View more

I have the same problem. Here's the very basic lookup script I've created (external_lookup.py) import logging logging.basicConfig(filename='/tmp/splunk-external_lookup-hello.log',level=logging.DEBUG) logging.debug("foo") If I put it in $SPLUNK_HOME/etc/apps/<app_name>/bin , I get the error Could not find 'external_lookup.py'. It is required for lookup 'external_lookup'. But if I put it in $SPLUNK_HOME/etc/apps/<app_name>/bin it works fine. ... View more

I had this problem when the following string was somewhere in my search: username= The sendemail.py script was not properly escaping the search string, and that part of my search was actually changing the username field within sendemail.py, causing it to try authenticating to the SMTP server. (You can see the authentication errors in /opt/splunk/var/log/splunk/python.log ). I was able to fix it by using something other than username in my search. ... View more

You might check that your time extractions are correct. If Splunk's interpretation of each event's time is incorrect, that could lead to the duration field being incorrect. ... View more

I'd like to hear more about this REST API Based on this doc: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTindex It looks like it would only give you the total DB size, not the hot/warm separate from the cold. That would not help in my instance. Am I interpreting that correctly? ... View more