Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

About writing custom search commands

This documentation has moved and been updated. See Create custom search commands for apps in Splunk Cloud or Splunk Enterprise in the Developer Guide on the Developer Portal.

You can extend the Splunk Search Processing Language (SPL) by customizing the built-in commands, or by writing your own search commands for custom processing or calculations.

If you use Splunk Cloud, you do not have filesystem access to your Splunk deployment. If you want to create custom search commands, file a Support ticket.

The following table describes the protocols, formats, and SDKs that you can use to create custom search commands.

Supported protocols Description Supported executable formats SDK
Custom Search Command protocol, Version 2 Use to create custom commands for a wide range of platforms and executable formats. .bat, .cmd, .exe, .js, .pl, .py, .sh Splunk SDK for Python
Custom Search Command protocol, Version 1 Use with the Splunk SDK for Python to create custom commands for Python.

Use with the Intersplunk.py SDK only to support existing custom commands.

.pl, .py

Splunk SDK for Python


Custom search commands that use Version 2 of the Custom Search Command protocol can be implemented in a variety of programming languages. These custom commands can even be implemented as platform-specific binary files.

By contrast, custom search commands that use the Version 1 protocol can be implemented only in Python. Custom commands that use the Version 1 protocol can only run using the Python interpreter that is included with the Splunk software.

About the SDKs

Use the Splunk SDK for Python to create custom search commands. The Splunk SDK for Python includes several templates that you can use to build new custom search commands.

Intersplunk.py is an older SDK and should only be used to support existing custom search commands that were built using the Version 1 protocol. You should not use the Intersplunk.py SDK for new custom search commands.

About the protocols

Version 2 protocol

There are significant advantages to using the Version 2 of the Custom Search Command protocol.

  • With the Version 2 protocol, external programs process through an entire set of Splunk search results in one invocation. The external program is invoked once for the entire search, greatly reducing runtime overhead.
  • The Version 2 protocol requires fewer configuration attributes than the Version 1 protocol.
  • Supports non-Python custom search commands, for example C++, Go, Java and JavaScript (Node.js).
  • Support for platform-specific executable files and binaries. You can write custom search commands in compiled languages, such as C++, on multiple platforms.

Version 1 protocol

The Version 1 of the Custom Search Command protocol processes events in groups, using 50,000 events for each group. The external program is invoked and terminated multiple times for large result sets.

Last modified on 06 October, 2020
Forward data to third-party systems
Search walkthroughs

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters