Related Answers
Download topic as PDF
Custom event-generating command example
This section gives you plug-and-play scripts so you can iterate from in order to make your own custom search command.
Example code
You can go to our github repository to get a complex custom search command:
Splunk github python SDK custom search command
WinAD
The following custom search command runs a python script, WinAD.py, to collect Active Directory information. This sample python script is available from Microsoft.
Add the python script
Add this script, WinAD.py, to an appropriate apps directory, $SPLUNK_HOME/etc/apps/<app_name>/bin/ :
import win32com.client
strComputer = "."
objWMIService = win32com.client.Dispatch("WbemScripting.SWbemLocator")
objSWbemServices = objWMIService.ConnectServer(strComputer,"root\cimv2")
colItems = objSWbemServices.ExecQuery("Select * from Win32_NTDomain")
for objItem in colItems:
print "Caption: ", objItem.Caption
print "Client Site Name: ", objItem.ClientSiteName
print "Creation Class Name: ", objItem.CreationClassName
print "Dc Site Name: ", objItem.DcSiteName
print "Description: ", objItem.Description
print "Dns Forest Name: ", objItem.DnsForestName
print "Domain Controller Address: ", objItem.DomainControllerAddress
print "Domain Controller Address Type: ", objItem.DomainControllerAddressType
print "Domain Controller Name: ", objItem.DomainControllerName
print "Domain Guid: ", objItem.DomainGuid
print "Domain Name: ", objItem.DomainName
print "DS Directory Service Flag: ", objItem.DSDirectoryServiceFlag
print "DS Dns Controller Flag: ", objItem.DSDnsControllerFlag
print "DS Dns Domain Flag: ", objItem.DSDnsDomainFlag
print "DS Dns Forest Flag: ", objItem.DSDnsForestFlag
print "DS Global Catalog Flag: ", objItem.DSGlobalCatalogFlag
print "DS Kerberos Distribution Center Flag: ", objItem.DSKerberosDistributionCenterFlag
print "DS Primary Domain Controller Flag: ", objItem.DSPrimaryDomainControllerFlag
print "DS Time Service Flag: ", objItem.DSTimeServiceFlag
print "DS Writable Flag: ", objItem.DSWritableFlag
print "Install Date: ", objItem.InstallDate
print "Name: ", objItem.Name
print "Name Format: ", objItem.NameFormat
print "Primary Owner Contact: ", objItem.PrimaryOwnerContact
print "Primary Owner Name: ", objItem.PrimaryOwnerName
z = objItem.Roles
if z is None:
a = 1
else:
for x in z:
print "Roles: ", x
print "Status: ", objItem.Status
Edit configuration files
Edit these configuration files in the app's local directory, $SPLUNK_HOME/etc/app/<app_name>/local.
In commands.conf, add this stanza:
[WinAD] filename = WinAD.py
In authorize.conf, add these two stanzas:
[capability::run_script_WinAD] [role_admin] run_script_WinAD= enabled
Restart Splunk.
Run the command in Splunk Web
In the app manager, modify the sharing for the search script so that it has Global Permissions.
Restart Splunk.
Now you can run the command from the search bar. Also, it's an event-generating command, so it should start with a leading pipe.:
| WinAD
|
PREVIOUS Control access to the custom command and script |
NEXT Custom search command example |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14
Feedback submitted, thanks!