Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

About writing custom search commands

You can extend the Splunk Search Processing Language (SPL) by customizing the built-in commands, or by writing your own search commands for custom processing or calculations.

If you use Splunk Cloud, you do not have filesystem access to your Splunk deployment. If you want to create custom search commands, file a Support ticket.

The following table describes the protocols, formats, and SDKs that you can use to create custom search commands.

Supported protocols Description Supported executable formats SDK
Custom Search Command protocol, Version 2 Use to create custom commands for a wide range of platforms and executable formats. .bat, .cmd, .exe, .js, .pl, .py, .sh Splunk SDK for Python
Custom Search Command protocol, Version 1 Use with the Splunk SDK for Python to create custom commands for Python.

Use with the Intersplunk.py SDK only to support existing custom commands.

.pl, .py

Splunk SDK for Python

Intersplunk.py

Custom search commands that use Version 2 of the Custom Search Command protocol, can be implemented in a variety of programming languages. These custom commands can even be implemented as platform-specific binary files.

By contrast, custom search commands that use the Version 1 protocol can be implemented only in Python. Custom commands that use the Version 1 protocol can only run using the Python interpreter that is included with the Splunk software.

About the SDKs

Use the Splunk SDK for Python to create custom search commands. The Splunk SDK for Python includes several templates that you can use to build new custom search commands.

Intersplunk.py is an older SDK and should only be used to support existing custom search commands that were built using the Version 1 protocol. You should not use the Intersplunk.py SDK for new custom search commands.

About the protocols

Version 2 protocol

There are significant advantages to using the Version 2 of the Custom Search Command protocol.

  • With the Version 2 protocol, external programs process through an entire set of Splunk search results in one invocation. The external program is invoked once for the entire search, greatly reducing runtime overhead.
  • The Version 2 protocol requires fewer configuration attributes than the Version 1 protocol.
  • Supports non-Python custom search commands, for example C++, Go, Java and JavaScript (Node.js).
  • Support for platform-specific executable files and binaries. You can write custom search commands in compiled languages, such as C++, on multiple platforms.

Version 1 protocol

The Version 1 of the Custom Search Command protocol processes events in groups, using 50,000 events for each group. The external program is invoked and terminated multiple times for large result sets.

PREVIOUS
Forward data to third-party systems
  NEXT
Write a custom search command

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Comments

Where may I find more details about the version 2 / version 1 protocols? Links to relevant spots in splunk>docs would be much appreciated!

Ww9rivers
September 19, 2017

Triddell
Thanks for the clarification! I have updated the documentation.

Lstewart splunk, Splunker
January 6, 2017

Note: "golang" is not a language. Go is a language that lives at https://golang.org and people often Google for "golang" since Go is such a universal word.

Triddell
December 21, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters