Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Custom search scripts

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12

Custom search scripts

Create your own search commands by writings scripts. To build a search script, put a Python script in $SPLUNK_HOME/etc/searchscripts/. Python scripts in the searchscripts directory are available in the search language and can be used in a search. Find more examples on the Dev Wiki search script page.

For more help using Splunk's Python modules, please see the page on SKDs.

Configuration files

You must add your search script by name to commands.conf and permissions to authorize.conf.

commands.conf

Add an entry to commands.conf for your search script. This allows you to pipe your search to your custom search script. 

[loglady]
filename = loglady.py

authorize.conf

Add two entries to authorize.conf.

First, add a capability for the script to be run: 

[capability::run_script_loglady]

Second, add a line to any role to authorize users assigned that role to run the script: 

run_script_loglady          = enabled

Working with results

Some things to know about passing results to and from a search command:

  • Results are passed in with stdin and out with stdout.
  • Arguments are passed from the search line directly to your script.

If your script is called myNewCommand.py, it can be used in a search as follows:

access denied | myNewCommandSearch

Please note:

  • Only Python or Perl scripts are currently supported. If you use Perl, you must parse the search results on your own.
  • If you make changes to your files, you must restart your Splunk server to pick up the changes.
  • The inputs to your script are all the events selected by the preceding search. By default, only the top 100 results are passed to the script to run. To override this value, append your search with a new value for maxinputs; for example, maxinputs=10000.
  • Extracted fields are not available in the results array that is passed to the script. To expose extracted fields, first pipe the search into kv before piping to the custom search script. For example, * | kv | myscript.

Python modules

The splunk.Intersplunk module directs events from Splunk to your Python search scripts.

  • Calling getOrganizedResults returns a list of Python dictionaries, each of which represents a single event.
  • Calling outputResults with a list of dictionaries passes those events back to Splunk.

The output of your script can then be fed back into Splunk as events. For example: 

import sys,splunk.Intersplunk
# this call populates the results variable with all the events passed into the search script:
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
# hand the results right back to Splunk
splunk.Intersplunk.outputResults(results)

Although this code snippet does not do much, it shows you how to get events pass the data back to Splunk. If you want to change some of the events, add a loop to iterate over all the events. Each event is comprised of a set of key-value pairs for every extracted field.

Authenticate

Add an auth attribute to your stanza in commands.conf: 

[MYSEARCHSCRIPT]
filename = MYSEARCHSCRIPT.py
passauth = true

Example

tolower.py: 

import splunk.Intersplunk
import splunk.search as search
import os,re,sys,time
import splunk.auth

# this call populates the results variable with all the events passed into the search script:
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

authString = settings.get("authString", None)
if authString == None:
        splunk.Intersplunk.generateErrorResults("username/password authorization not given to 'backfill'.")
        sys.exit

os.environ["SPLUNK_TOK"] = authString

os.system("splunk search '* | head 1' -format csv") 

# create new list to pass back to Splunk
new_result_list = []
# Iterate over all the events:
for result in results:
  # for all the events, you want to iterate over all the extracted fields:
  new_result = {}
  for key,value in result.items():
    # change the result items. This example makes all the values lowercase.
    value = value.lower()
    new_result[key] = value
  # add the changed result to the new list of results
  new_result_list.append(new_result)
# hand the results right back to Splunk
splunk.Intersplunk.outputResults(new_result_list)

Changing events with your own command is probably the most common use-case. You do not necessarily have to return the entire original set of events. You can return any key-value pairs back to Splunk. For example: 

# This prepares the return value for the script
newresults = [ { "afterglowFilename" : "afterglow.html" } ]
splunk.Intersplunk.outputResults(newresults)

This example returns only one key/value pair. This could then be combined with a field action to execute some action on this field, for example displaying the html file indicated in the value part.

Retrieved from "http://www.splunk.com/base/Documentation/3.4.12/Developer/CustomSearchScripts"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.