Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Custom search command example

This topic applies to only the Intersplunk.py file and the Version 1 protocol.

For a Version 2 protocol example, see How to create custom search commands using Splunk SDK for Python on dev.splunk.com. There are several examples on that page:

Additionally there are other examples for the Splunk SDK for Python.


This following is an example of a custom search command called shape. The shape command categorizes events based on the event line count (tall or short) and line length (thin, wide, and very_wide) and whether or not the lines are indented.

Add the Python script

Add this script, shape.py, to an appropriate apps directory, $SPLUNK_HOME/etc/apps/<app_name>/bin/ :

  import splunk.Intersplunk 
  def getShape(text):
       description = []
       linecount = text.count("\n") + 1
       if linecount > 10:
           description.append("tall")
       elif linecount > 1:
           description.append("short")
       avglinelen = len(text) / linecount
       if avglinelen > 500:
           description.append("very_wide")
       elif avglinelen > 200:
           description.append("wide")
       elif avglinelen < 80:
           description.append("thin")
       if text.find("\n ") >= 0 or text.find("\n\t") >= 0:
           description.append("indented")
       if len(description) == 0:
           return "normal"
       return "_".join(description)            
  # get the previous search results
  results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults()
  # for each results, add a 'shape' attribute, calculated from the raw event text
  for result in results:
       result["shape"] = getShape(result["_raw"])
  # output results
  splunk.Intersplunk.outputResults(results)

Edit the configuration files

Edit the following configuration files in the local directory for the app, for example $SPLUNK_HOME/etc/app/<app_name>/local.

  1. In the commands.conf file, add this stanza:
    [shape]
    filename = shape.py
  2. In the authorize.conf file, add these two stanzas:
    [capability::run_script_shape]
    [role_admin]
    run_script_shape= enabled
  3. Restart Splunk Enterprise.

Run the command

This example shows how to run the search from the CLI. You can also run the command in Splunk Web.

Show the top shapes for multi-line events:

$ splunk search "linecount>1 | shape | top shape"

The results of the search are returned in a table format.

shape                       count     percent

tall_indented               43        43.000000 
short_indented              29        29.000000
tall_thin_indented          15        15.000000
short_thin_indented         10        10.000000
short_thin                  3         3.000000 
PREVIOUS
Control access to the custom command and script
  NEXT
Security responsibilities with custom commands

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Comments

This page desperately needs a version 2 example.

DUThibault
October 31, 2017

Thanks, we've fixed the typo.

Cgales splunk, Splunker
April 8, 2013

This [capability::run_script_shaoe] should be [capability::run_script_shape]

Dturnbull splunk
April 8, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters