Create custom Splunk search command using Python
--
Splunk is a great platform for analyzing & visualizing data. When you keep using Splunk you will need to integrate more data sources and do some complex processing to the data. Then you’ll definitely need Splunk custom commands.
Create a simple python script
Your script path should be like the below path
<splunk_home>/etc/apps/<app_name>/bin/<command_name>.pyI created my testing command here
/opt/splunk/etc/apps/search/bin/tstcmd.py`
import sys
import splunk.Intersplunk#read parameters
name_prefix = sys.argv[1]#output data should be a list of dictionary like this
data = [{'name': 'kamal', 'age': 23}, {'name', 'saman', 'age': 24}]for record in data:
record['name'] = name_prefix + record['name']splunk.Intersplunk.outputResults(data)
Test your script
Don’t worry you don’t need to install anything to import “splunk.Intersplunk”. You just need to run the script using python which installed inside Splunk.
You can test your command like below
cd /opt/splunk/etc/apps/search/bin/
/opt/splunk/bin/python tstcmd.py Mr.Using external libraries
If you want to use external libraries, you’ll have to add them to python which installed with Splunk. For example, you need to use sqlite3 in your script and you have it in another python instance. Then you have to copy necessary files like this.
cp -R /usr/lib64/python2.7/sqlite3/ /opt/splunk/lib/python2.7/site-packages/
cp /usr/lib64/python2.7/lib-dynload/_sqlite3.so /opt/splunk/lib/python2.7/lib-dynload/Add the command to Splunk
You have to modify the below file.
<splunk_home>/etc/apps/<app_name>/local/commands.confIn my case it is
/opt/splunk/etc/apps/search/local/commands.conf
if this file is not there, create a new one with that name.
and add the below
[tstcmd]
filename = tstcmd.pynow “tstcmd” is the custom command name.
Apply to Splunk
You have to refresh or restart Splunk to apply the changes.
You can refresh using the below URL.
<splunk_endpoint>/en-US/debug/refreshNote: You’ll need an admin account to refresh
Using the custom command in Splunk
You just need to try your command with the pipe like below.
|tstcmd Mr.Here “Mr.” is the parameter you are passing.
Then you can see a result like below.
+-----------+------------+
| name | age |
+-----------+------------+
|Mr.kamal | 23 |
+-----------+------------+
|Mr.saman | 24 |
+-----------+------------+Use the custom command with variable parameters
You may need to pass the values gathered to the custom command. So you need to use variables as parameters.
So you have to use the “map” command like below.
|stats count
|eval x = "Mr."
|map search="|tstcmd $x$"if you using this query inside a dashboard. you’ll have to specify the variables like below.
|stats count
|eval x = "Mr."
|map search="|tstcmd $$x$$"Use the custom command with a time range
Normally we are gathering data in Splunk in a given time range. So sometimes we have to pass the time range to the custom command as well. You can fulfill that using the below query.
|stats count
|addinfo
|eval t1 = info_min_time
|eval t2 = info_max_time
|map search="|mycmd $t1$ $t2$"Here t1 is the starting time and t2 is the end time. You have to output the result by considering the time range from your script.
Timezone issue with the time range
Think you are using the custom command successfully with a time range. But your script taking some data from a data source that is in a different timezone. So you will receive an invalid result for your time range. This issue can be solved in multiple ways. Many times we are selecting relative time ranges such as the last 15 minutes, the last 24 hours. So our current timezone is not an issue. Because we are using relative time ranges. So the easiest way to resolve this different time zone issue is to the change user time zone in Splunk.
You can change it like below.
- Click your user name which located at the top in Splunk UI.
- Click Preferences in the menu.
- Then just select the time zone of your data source which used in the custom command script.
Hope this article will be helpful for various day to day tasks in Splunk.
Thanks
