Write a custom search command
A custom search command is just a Python script that reads data in and writes data out. This topic discusses how your Python script should handle inputs and arguments.
The search command script should be:
- Located in
Search command names can consist only of alphanumeric (a-z, A-Z, and 0-9) characters. New commands should not have the same name of any existing commands.
Types of search commands
There are two subtypes of custom search commands: streaming or non-streaming. A streaming command applies a transformation to each event and writes out the result, such as adding a field to each event. A non-streaming command expects to have all the data before it operates or reduces the data into the output.
The input to the script should be formatted in pure CSV or in Intersplunk, which is a header section followed by a blank line followed by pure CSV body.
The simplest way to interpret your script input is to use
splunk.Intersplunk.readResults, which takes 3 optional parameters and returns a list of dicts (which represents the list of input events). The optional parameters are 'input_buf', 'settings', and 'has_header':
- 'inputbuf' is where to read input from, and if it is None (by default), it is assumed to be
- 'settings' is expected to be a dict where we will store any information found in the input header (default = None, means don't record the settings).
- 'has_header' indicates whether or not we expect an input header and is True by default.
To indicate whether or not your script expects a header, use the 'enableheader' key. The 'enableheader' key defaults to true, which means that the input will contain the header section and you are using the Intersplunk format.
If your script does not expect a header section in the input (
enableheader is false), you can directly use the Python csv module to read the input. For example:
r = csv.reader(sys.stdin)
for l in r:
The advantage of this usage is that you can break at any time in the for loop, and only lines in the input that you had iterated to at that point will have been read into memory. This leads to much better performance for some usage cases.
You can also use Intersplunk to construct your script's output.
splunk.Intersplunk.generateErrorResults takes a string and writes the correct error output to
splunk.Intersplunk.outputResults takes a list of dict objects and writes the appropriate CSV output to
To output data, add:
The output of your script is expected to be pure CSV. For an error condition, simply return a CSV with a single "ERROR" column and a single row (besides the header row) with the contents of the message.
The arguments that are passed to your script (in sys.argv) will be the same arguments that are used to invoke your command in the search language unless your script has
supports_getinfo = true. The
supports_getinfo key indicates that the first argument to your script will either be
__GETINFO__ or __EXECUTE__. This allows you to call the script with the command arguments at parse time to check for syntax errors before any execution of the search. Errors at this time will short circuit any real execution of the search query. If called with
__GETINFO__, this also allows you to dynamically specify the properties of your script (such as streaming or not) depending on your arguments.
If your script has
supports_getinfo set to 'true', you should first make a call like:
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)
This call will strip the first argument from sys.argv and check if you are in GETINFO mode or EXECUTE mode. If you are in GETINFO mode, your script should use
splunk.Intersplunk.outputInfo() to return the properties of your script or
splunk.Intersplunk.parseError() if the arguments are invalid.
The definition of
outputInfo() and its arguments is as follows:
def outputInfo(streaming, generating, retevs, reqsop, preop, timeorder=False)
You can also set these attributes in commands.conf.
There are two examples in this chapter to help you understand how to write your own custom search command:
About custom search commands
Add your custom command to Splunk
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7