Add your custom command to Splunk
After you write your search command, you must edit
commands.conf to create an entry for your command. Splunk will not be aware of your custom command until you add it to
commands.conf. You can see the full list of configuration options for each command in
commands.conf.spec in the Admin Manual. This topic will only discuss a few of the parameters.
Create a new stanza
Each stanza in
commands.conf represents the configuration for a search command. Here is an example of a stanza that just enables your custom script:
filename = <string>
STANZA_NAME is the keyword that will be specified in search phrases to invoke the command. Search command names can consist only of alphanumeric (a-z, A-Z, and 0-9) characters. New commands (in this case, new stanzas) should not have the same name of any existing commands.
filename attribute specifies the name of your custom script. Splunk expects this script to be in all appropriate
$SPLUNK_HOME/etc/apps/<app_name>/bin/ directories, otherwise it looks for this script in
$SPLUNK_HOME/etc/apps/search/bin (which is where most of the scripts that ship with Splunk are stored). In most cases, we recommend placing your script within an app namespace.
After adding your custom command to
commands.conf, you need to restart Splunk. Edits to your custom command script or to parameters of an existing command in
commands.conf do not require a restart.
Write a custom search command
Control access to your custom command
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7