Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Custom event-generating command example

This section gives you plug-and-play scripts so you can iterate from in order to make your own custom search command.

Example code

You can go to our github repository to get a complex custom search command:

Splunk github python SDK custom search command

WinAD

The following custom search command runs a python script, WinAD.py, to collect Active Directory information. This sample python script is available from Microsoft.

Add the python script

Add this script, WinAD.py, to an appropriate apps directory, $SPLUNK_HOME/etc/apps/<app_name>/bin/ :

import win32com.client
strComputer = "."
objWMIService = win32com.client.Dispatch("WbemScripting.SWbemLocator")
objSWbemServices = objWMIService.ConnectServer(strComputer,"root\cimv2")
colItems = objSWbemServices.ExecQuery("Select * from Win32_NTDomain")
for objItem in colItems:
    print "Caption: ", objItem.Caption
    print "Client Site Name: ", objItem.ClientSiteName
    print "Creation Class Name: ", objItem.CreationClassName
    print "Dc Site Name: ", objItem.DcSiteName
    print "Description: ", objItem.Description
    print "Dns Forest Name: ", objItem.DnsForestName
    print "Domain Controller Address: ", objItem.DomainControllerAddress
    print "Domain Controller Address Type: ", objItem.DomainControllerAddressType
    print "Domain Controller Name: ", objItem.DomainControllerName
    print "Domain Guid: ", objItem.DomainGuid
    print "Domain Name: ", objItem.DomainName
    print "DS Directory Service Flag: ", objItem.DSDirectoryServiceFlag
    print "DS Dns Controller Flag: ", objItem.DSDnsControllerFlag
    print "DS Dns Domain Flag: ", objItem.DSDnsDomainFlag
    print "DS Dns Forest Flag: ", objItem.DSDnsForestFlag
    print "DS Global Catalog Flag: ", objItem.DSGlobalCatalogFlag
    print "DS Kerberos Distribution Center Flag: ",    objItem.DSKerberosDistributionCenterFlag
    print "DS Primary Domain Controller Flag: ", objItem.DSPrimaryDomainControllerFlag
    print "DS Time Service Flag: ", objItem.DSTimeServiceFlag
    print "DS Writable Flag: ", objItem.DSWritableFlag
    print "Install Date: ", objItem.InstallDate
    print "Name: ", objItem.Name
    print "Name Format: ", objItem.NameFormat
    print "Primary Owner Contact: ", objItem.PrimaryOwnerContact
    print "Primary Owner Name: ", objItem.PrimaryOwnerName
    z = objItem.Roles
    if z is None:
        a = 1
    else:
        for x in z:
            print "Roles: ", x
            print "Status: ", objItem.Status

Edit configuration files

Edit these configuration files in the app's local directory, $SPLUNK_HOME/etc/app/<app_name>/local.

In commands.conf, add this stanza:

[WinAD]
filename = WinAD.py

In authorize.conf, add these two stanzas:

[capability::run_script_WinAD]

[role_admin]
run_script_WinAD= enabled

Restart Splunk.

Run the command in Splunk Web

In the app manager, modify the sharing for the search script so that it has Global Permissions.

Restart Splunk.

Now you can run the command from the search bar. Also, it's an event-generating command, so it should start with a leading pipe.:

| WinAD

PREVIOUS
Control access to the custom command and script
  NEXT
Custom search command example

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters