Currently I am trying to write a python script that I can use to permute the input. I then wish to use this as a command to generate my output.
What I want from the search app:
Run search "host=
Then my permute script will return "123 OR 132 OR 213 OR 231 OR 312 OR 321" so that my final search will be "host=
Is this sort of thing possible? I have been working on developing a view for an app to execute this in. My idea was to run the permute with the input given from a text field and then put the results of the permute into the next search. I have looked through many of the Splunk documentation and forums and cannot figure out what to do. I though $results$ would give me the results of the first search but this has not worked. Any ideas? Thanks!
I think so. See this search reference for calling scripts in searches:
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/script
You don't want to pipe all those results you don't need to the command, a subsearch makes more sense in this context, e.g.:
host=* [permute 123]
This would be a generating command:
http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/SearchScripts
I think so. See this search reference for calling scripts in searches:
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/script
So I ended up making a script for search, and put it in $SPLUNK_HOME/etc/apps/search/bin. Then added the command to $SPLUNK_HOME/etc/apps/search/local/commands.conf
I run a search such as:
host=* | permute 123
Then my script takes all of the results from host=* and searches them for all combinations of 123, 132, etc. and prints them out to the results in splunk. One important thing to note was that I had to set retains events to true in commands.conf for the results to show in Splunk with all of the preprocessed fields that I wanted.