Search Command -> From Master Head

lpolo · ‎05-01-2012

I have a set of custom search commands that can only be executed at the splunk indexer. I would like to enable the master head server to execute these commands from the master head server.

Is it possible?

From the indexer I execute the commands as follow without any problem:

|customsearch

If I try to run the command from the master head with query

splunk_server|customsearch

I get this error:

Search operation 'customsearch' is unknown. You might not have permission to run this operation.

This is my commands.conf example:

[customsearch]
filename = customsearch.py
generating = true
maxinputs = 1
supports_rawargs = true

Thanks,
Lp

Ayn · ‎05-01-2012

If the search command is supposed to run on the indexers, you need to put the .py file there as well. More info: http://splunk-base.splunk.com/answers/31681/custom-search-command-for-distributed-search

lpolo · ‎05-02-2012

Thanks.
I follow your instructions. I am able to run the command from the master head. When I run the command, it is executed and the pick fields are found in splunk UI but the query keeps running. If I run the command in the indexer the command completes without problem, the pick fields are found in splunk UI but I do not see any events. I can see the event if I use: |search_commnad|table *. If I remove streaming no problem in the local indexer. What could be wrong?

commands.conf
[cimidxfeed]
filename = cim_idx.py
generating = true
maxinputs = 1
supports_rawargs = true
streaming = true

Ayn · ‎05-02-2012

afaik the search commands are not replicated. This is why you need to put them there manually.

lpolo · ‎05-02-2012

Thanks. It worked.
How can I control the replication from the Master head to the indexers?
There are a set of indexers that I do not want to have the custom search commands

Search Command -> From Master Head

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!