Example 1: shape
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Example 1: shape
This following is a new command called "shape" that categorize events based on their line count and line length (tall, short, thin, wide, very_wide) and whether or not they are indented:
Step 1: Write the code! Here is shape.py:
import splunk.Intersplunk
def getShape(text):
description = []
linecount = text.count("\n") + 1
if linecount > 10:
description.append("tall")
elif linecount > 1:
description.append("short")
avglinelen = len(text) / linecount
if avglinelen > 500:
description.append("very_wide")
elif avglinelen > 200:
description.append("wide")
elif avglinelen < 80:
description.append("thin")
if text.find("\n ") >= 0 or text.find("\n\t") >= 0:
description.append("indented")
if len(description) == 0:
return "normal"
return "_".join(description)
# get the previous search results
results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults()
# for each results, add a 'shape' attribute, calculated from the raw event text
for result in results:
result["shape"] = getShape(result["_raw"])
# output results
splunk.Intersplunk.outputResults(results)
Step 2: Tell Splunk about this external command in commands.conf:
[shape] filename = shape.py
It works!
Run the search. For example, show the top shapes for multi-line events:
$ splunk search "linecount>1 | shape | top shape"
shape count percent
tall_indented 43 43.000000
short_indented 29 29.000000
tall_thin_indented 15 15.000000
short_thin_indented 10 10.000000
short_thin 3 3.000000
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.
Comments
To Rachel, and all other that wondering if Splunk needs to be restarted, the anwser ie yes if you modified commands.conf (for adding the new command or changed parameters).
But once added, you do not need anymore to restart it.
hmm, looks like the comment system eats angle brackets. it should be named (yourcommand).py
hi Vly. as noted in http://www.splunk.com/base/Documentation/latest/SearchReference/WriteaPythonsearchcommand , the search command script should be located in $SPLUNK_HOME/etc/apps//bin/ and named .py.
As noted in http://www.splunk.com/base/Documentation/latest/SearchReference/Aboutcustomsearchcommands , you can write search commands in Perl or Python, but there is more support for Python.
i've asked about the restart on Answers, here:
http://answers.splunk.com/questions/4618/do-you-have-to-restart-splunk-when-youve-added-a-custom-search-command
A few questions. Where should the script (in this example, shape.py) live? Is it possible to implement the custom search command using a scripting language other than Python? Also, is a Splunk server restart required?
Splunk already has a shape command. so this example will not work unless you change the name of your command to something else.