About writing custom search commands
You can extend the Splunk Search Processing Language (SPL) by customizing the built-in commands, or by writing your own search commands for custom processing or calculations.
If you use Splunk Cloud, you do not have filesystem access to your Splunk deployment. If you want to create custom search commands, file a Support ticket.
The following table describes the protocols, formats, and SDKs that you can use to create custom search commands.
|Supported protocols||Description||Supported executable formats||SDK|
|Custom Search Command protocol, Version 2||Use to create custom commands for a wide range of platforms and executable formats.||.bat, .cmd, .exe, .js, .pl, .py, .sh||Splunk SDK for Python|
|Custom Search Command protocol, Version 1|| Use with the Splunk SDK for Python to create custom commands for Python.
Use with the Intersplunk.py SDK only to support existing custom commands.
Splunk SDK for Python
Custom search commands that use Version 2 of the Custom Search Command protocol, can be implemented in a variety of programming languages. These custom commands can even be implemented as platform-specific binary files.
By contrast, custom search commands that use the Version 1 protocol can be implemented only in Python. Custom commands that use the Version 1 protocol can only run using the Python interpreter that is included with the Splunk software.
About the SDKs
Use the Splunk SDK for Python to create custom search commands. The Splunk SDK for Python includes several templates that you can use to build new custom search commands.
Intersplunk.py is an older SDK and should only be used to support existing custom search commands that were built using the Version 1 protocol. You should not use the Intersplunk.py SDK for new custom search commands.
About the protocols
Version 2 protocol
There are significant advantages to using the Version 2 of the Custom Search Command protocol.
- With the Version 2 protocol, external programs process through an entire set of Splunk search results in one invocation. The external program is invoked once for the entire search, greatly reducing runtime overhead.
- The Version 2 protocol requires fewer configuration attributes than the Version 1 protocol.
- Support for platform-specific executable files and binaries. You can write custom search commands in compiled languages, such as C++, on multiple platforms.
Version 1 protocol
The Version 1 of the Custom Search Command protocol processes events in groups, using 50,000 events for each group. The external program is invoked and terminated multiple times for large result sets.
Forward data to third-party systems
Write a custom search command
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 7.0.0, 7.0.1, 7.0.2