Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Add your custom command to Splunk

After you write your search command, you must edit commands.conf to create an entry for your command. Splunk will not be aware of your custom command until you add it to commands.conf. You can see the full list of configuration options for each command in commands.conf.spec in the Admin Manual. This topic will only discuss a few of the parameters.

Create a new stanza

Each stanza in commands.conf represents the configuration for a search command. Here is an example of a stanza that just enables your custom script:

[<STANZA_NAME>]
filename = <string>

The STANZA_NAME is the keyword that will be specified in search phrases to invoke the command. Search command names can consist only of alphanumeric (a-z, A-Z, and 0-9) characters. New commands (in this case, new stanzas) should not have the same name of any existing commands.

The filename attribute specifies the name of your custom script. Splunk expects this script to be in all appropriate $SPLUNK_HOME/etc/apps/<app_name>/bin/ directories, otherwise it looks for this script in $SPLUNK_HOME/etc/apps/search/bin (which is where most of the scripts that ship with Splunk are stored). In most cases, we recommend placing your script within an app namespace.

After adding your custom command to commands.conf, you need to restart Splunk. Edits to your custom command script or to parameters of an existing command in commands.conf do not require a restart.

PREVIOUS
Write a custom search command
  NEXT
Control access to your custom command

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters