Custom search command example: shape
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Custom search command example: shape
Suppose you want to write a new command called "shape" to categorize events based on their line count and line length -- tall, short, thin, wide, etc:
Step 1: Tell Splunk about this external command in commands.conf:
[shape] filename = shape.py
Step 2: Write the code! Here is shape.py:
import splunk.Intersplunk
def getShape(text):
description = []
linecount = text.count("\n") + 1
if linecount > 10:
description.append("tall")
elif linecount > 1:
description.append("short")
avglinelen = len(text) / linecount
if avglinelen > 500:
description.append("very_wide")
elif avglinelen > 200:
description.append("wide")
elif avglinelen < 80:
description.append("thin")
if text.find("\n ") >= 0 or text.find("\n\t") >= 0:
description.append("indented")
if len(description) == 0:
return "normal"
return "_".join(description)
# get the previous search results
results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults()
# for each results, add a 'shape' attribute, calculated from the raw event text
for result in results:
result["shape"] = getShape(result["_raw"])
# output results
splunk.Intersplunk.outputResults(results)
It works!
Show me the top shapes among events with more than one line...
$ splunk search "linecount>1 | shape | top shape" shape count percent ------------------- ----- --------- tall_indented 43 43.000000 short_indented 29 29.000000 tall_thin_indented 15 15.000000 short_thin_indented 10 10.000000 short_thin 3 3.000000
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.