Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Add the custom command to Splunk Enterprise

After you write your search command, edit commands.conf to create an entry for your command. Splunk Enterprise will not be aware of your custom command until you add it to commands.conf. You can see the full list of configuration options for each command in commands.conf.spec in the Admin Manual. This topic will only discuss a few of the parameters.

If your custom command is app-specific, edit or create the configuration file in the app's local directory, $SPLUNK_HOME/etc/app/<app_name>/local. If you want the command to be available system-wide instead, edit or create the commands.conf in system's local directory, $SPLUNK_HOME/etc/system/local .

Create a new stanza

Each stanza in commands.conf represents the configuration for a search command. Here is an example of a stanza that just enables your custom script:

filename = <string>

The STANZA_NAME is the keyword that will be specified in search phrases to invoke the command. Search command names can consist only of alphanumeric (a-z, A-Z, and 0-9) characters. New commands (in this case, new stanzas) should not have the same name of any existing commands.

The filename attribute specifies the name of your custom script. Splunk expects this script to be in all appropriate $SPLUNK_HOME/etc/apps/<app_name>/bin/ directories, otherwise it looks for this script in $SPLUNK_HOME/etc/apps/search/bin (which is where most of the scripts that ship with Splunk are stored). In most cases, we recommend placing your script within an app namespace.

Describe the command

The filename attribute merely tells the location of the search script. You can use other attributes to describe the type of command you are adding to Splunk Enterprise. For example, use generating and streaming to specify whether it is a generating command, a streaming command, or a command that generates events:

generating = [true|false|stream]

  • Specify whether your command generates new events.
  • If stream, then your command generates new events (generating = true) and is streamable (streaming = true).
  • Defaults to false.

streaming = [true|false]

  • Specify whether the command is streamable.
  • Defaults to false.

If the custom search command retains or transforms events with the retainevents parameter:

retainsevents = [true|false]

  • Specify whether the command retains events (the way the sort/dedup/cluster commands do) or whether it transforms them (the way the stats command does).
  • Defaults to false.

Restart Splunk

After adding your custom command to commands.conf, you need to restart Splunk Enterprise. Edits to your custom command script or to parameters of an existing command in commands.conf do not require a restart.

Last modified on 08 August, 2014
Write a search command
Control access to the custom command and script

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters