About custom search commands

About custom search commands

Splunk provides many search commands — such as [1]], fields, [[transaction] — but even better, it lets you to expand the search language any way you want by writing your own search commands.

To add a custom search command to Splunk, you need to:

1. Add your command to commands.conf.

2. Write the code for your search command.

Add your command to commands.conf

All external search commands are configured in commands.conf. The commands.conf.spec (located in the README directory) contains the full list of configuration options with explanations for each. This topic will only discuss a couple of the options.

[$STANZA_NAME]
type = <string>
filename = <string>

Each stanza represents a search command. The STANZA_NAME is the name that will be specified in search phrases to invoke the command. Search command names can consist only of alphanumeric (a-z, A-Z, and 0-9) characters. New commands should not have the same name of any existing commands.

Each stanza name is then followed by attribute and value pairs for each command. At a minimum, the filename is required for each stanza.

Use the filename key to specify the name of the script. Splunk expects this script to be in all appropriate $SPLUNK_HOME/etc/apps/<app_name>/bin/, otherwise it looks for this script in $SPLUNK_HOME/etc/searchscripts (which is where most of the scripts that ship with Splunk are stored). In most cases, we recommend placing your script within an application.

Use the type key to specify if the script is Python or Perl. By default, Splunk assumes the script is Python.

Write the code!

Your custom search command can be a Python or a Perl script. However, although Perl scripts are allowed, there is less support for them. Read the following topic, Write a Python search command for more specifics about the types of inputs and arguments your script needs to handle.

• Was this topic useful?
• Post a comment