Splunk Cloud

Search Manual

Download manual as PDF

Download topic as PDF

Custom search command example

This topic applies to only the Intersplunk.py file and the Version 1 protocol.

For Version 2 protocol examples, see Custom search command examples on dev.splunk.com. This page has multiple examples to help you write your custom search command.

Additionally, there are other examples for the Splunk SDK for Python.

This following is an example of a custom search command called shape. The shape command categorizes events based on the event line count (tall or short) and line length (thin, wide, and very_wide) and whether or not the lines are indented.

Add the Python script

Add this script, shape.py, to an appropriate apps directory, $SPLUNK_HOME/etc/apps/<app_name>/bin/ . This script has been made cross-compatible with Python 2 and Python 3 using python-future.

from __future__ import division
from past.utils import old_div
import splunk.Intersplunk 

def getShape(text):
  description = []
  linecount = text.count("\n") + 1
  if linecount > 10:
  elif linecount > 1:
  avglinelen = old_div(len(text), linecount)
  if avglinelen > 500:
  elif avglinelen > 200:
  elif avglinelen < 80:
  if text.find("\n ") >= 0 or text.find("\n\t") >= 0:
  if len(description) == 0:
      return "normal"
  return "_".join(description)            

# get the previous search results
results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults()
# for each results, add a 'shape' attribute, calculated from the raw event text
for result in results:
    result["shape"] = getShape(result["_raw"])
# output results

Edit the configuration files

Edit the following configuration files in the local directory for the app, for example $SPLUNK_HOME/etc/app/<app_name>/local.

  1. In the commands.conf file, add this stanza:
    filename = shape.py
  2. In the authorize.conf file, add these two stanzas:
    run_script_shape= enabled
  3. Restart Splunk Enterprise.

Run the command

This example shows how to run the search from the CLI. You can also run the command in Splunk Web.

Show the top shapes for multi-line events:

$ splunk search "linecount>1 | script shape | top shape"

The results of the search are returned in a table format.

shape                       count     percent

tall_indented               43        43.000000 
short_indented              29        29.000000
tall_thin_indented          15        15.000000
short_thin_indented         10        10.000000
short_thin                  3         3.000000 
Last modified on 05 December, 2019
Control access to the custom command and script
Security responsibilities with custom commands

This documentation applies to the following versions of Splunk Cloud: 7.0.11, 7.0.13, 7.1.3, 7.1.6, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2001, 8.0.2003, 8.0.2004

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters