Splunk provides many power search commands -- such as sort, fields, transactions -- but even better, it allows you to expand things anyway you want, by writing your own search commands. Suppose you want to make a new “shape” command in python that returns the shape of an event -- tall, short, thin, wide, etc. There are just three simple steps:
Step 1) Tell splunk about this external command in commands.conf...
[shape] filename = shape.py
Step 2) Authorize users to run this command in authorize.conf...
[capability::run_script_shape] [role_User] run_script_shape = enabled
Step 3) Write the code! Here is shape.py...
import splunk.Intersplunk
def getShape(text):
description = []
linecount = text.count("\n") + 1
if linecount > 10:
description.append("tall")
elif linecount > 1:
description.append("short")
avglinelen = len(text) / linecount
if avglinelen > 500:
description.append("very_wide")
elif avglinelen > 200:
description.append("wide")
elif avglinelen < 80:
description.append("thin")
if text.find("\n ") >= 0 or text.find("\n\t") >= 0:
description.append("indented")
if len(description) == 0:
return "normal"
return "_".join(description)
# get the previous search results
results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults()
# for each results, add a 'shape' attribute, calculated from the raw event text
for result in results:
result["shape"] = getShape(result["_raw"])
# output results
splunk.Intersplunk.outputResults(results)
It works! Show me the top shapes among events with more than one line...
$ splunk search "linecount>1 | shape | top shape" shape count percent ------------------- ----- --------- tall_indented 43 43.000000 short_indented 29 29.000000 tall_thin_indented 15 15.000000 short_thin_indented 10 10.000000 short_thin 3 3.000000
Just to review, here are the files we made...
- apps/example/bin/shape.py
- apps/example/default/authorize.conf
- apps/example/default/commands.conf
Now go out there and make cool extensions to Splunk!