- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Adding python script to search app
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have python script I want to add to the search app in splunk 5.0.3, I found some documentation: http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/AddthecustomcommandtoSplunk
Now to make sure I am doing things correctly I copied the uniq.py and called it test.py and modified the commands.conf all in the $SPLUNK_HOME/etc/apps/search folder.
After restarting splunk I can see the script in: Manager > Advanced search > Search commands
However when I tried to use it I get an error:
Error in 'test' command: This command must be the first command of a search.
Meanwhile uniq work fine, obviously since that was built into splunk.
Thank you,
Brian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I was able to get my custom python script to work however I needed to do the following:
- Add my script to the $SPLUNK_HOME/etc/system/bin directory
- Modify the $SPLUNK_HOME/etc/system/default/transforms.conf to include the fields:
[myscript]
external_cmd = myscript.py InputField OutputField
fields_list = InputField OutputField
- Use my script as follows:
{My Search} |lookup myscript InputField as SearchField |table OutputField
Thank you,
Brian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I was able to get my custom python script to work however I needed to do the following:
- Add my script to the $SPLUNK_HOME/etc/system/bin directory
- Modify the $SPLUNK_HOME/etc/system/default/transforms.conf to include the fields:
[myscript]
external_cmd = myscript.py InputField OutputField
fields_list = InputField OutputField
- Use my script as follows:
{My Search} |lookup myscript InputField as SearchField |table OutputField
Thank you,
Brian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are you calling the command? Your search should have a leading pipe and your command being the first command; something like:
| test
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, when I do {my search} | uniq I get my expected results however when I do {my search} | test I get:
Error in 'test' command: This command must be the first command of a search.
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
