Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Example 1: shape

This following is a new command called "shape" that categorize events based on their line count and line length (tall, short, thin, wide, very_wide) and whether or not they are indented:

Step 1: Write the code! Here is shape.py:

  import splunk.Intersplunk 
  def getShape(text):
       description = []
       linecount = text.count("\n") + 1
       if linecount > 10:
       elif linecount > 1:
       avglinelen = len(text) / linecount
       if avglinelen > 500:
       elif avglinelen > 200:
       elif avglinelen < 80:
       if text.find("\n ") >= 0 or text.find("\n\t") >= 0:
       if len(description) == 0:
           return "normal"
       return "_".join(description)            
  # get the previous search results
  results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults()
  # for each results, add a 'shape' attribute, calculated from the raw event text
  for result in results:
       result["shape"] = getShape(result["_raw"])
  # output results

Step 2: Tell Splunk about this external command in commands.conf:

[shape] filename = shape.py

It works!

Run the search. For example, show the top shapes for multi-line events:

$ splunk search "linecount>1 | shape | top shape"

shape count percent

tall_indented 43 43.000000
short_indented 29 29.000000
tall_thin_indented 15 15.000000
short_thin_indented 10 10.000000
short_thin 3 3.000000

Control access to your custom command
Example 2: iplocation

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Splunk already has a shape command. so this example will not work unless you change the name of your command to something else.

January 28, 2012

To Rachel, and all other that wondering if Splunk needs to be restarted, the anwser ie yes if you modified commands.conf (for adding the new command or changed parameters).<br />But once added, you do not need anymore to restart it.

November 13, 2011

hmm, looks like the comment system eats angle brackets. it should be named (yourcommand).py

July 13, 2010

hi Vly. as noted in http://www.splunk.com/base/Documentation/latest/SearchReference/WriteaPythonsearchcommand , the search command script should be located in $SPLUNK_HOME/etc/apps//bin/ and named .py.<br />As noted in http://www.splunk.com/base/Documentation/latest/SearchReference/Aboutcustomsearchcommands , you can write search commands in Perl or Python, but there is more support for Python. <br /><br />i've asked about the restart on Answers, here: <br />http://answers.splunk.com/questions/4618/do-you-have-to-restart-splunk-when-youve-added-a-custom-search-command

July 13, 2010

A few questions. Where should the script (in this example, shape.py) live? Is it possible to implement the custom search command using a scripting language other than Python? Also, is a Splunk server restart required?

July 12, 2010

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters