Solved: Can I run a search command on data that is not in ...

andrewtrobec · ‎03-29-2017

Hello!

Is it possible to use the content of a text input token to run a search? So instead of:

index="my_index" | ...

i use

$token_text$ | ...

The goal here is to pass the text content to an external script and then be able to output a result. The text that needs to be analyzed, however, is not within an index, but is provided ad-hoc.

Is this possible?

Thanks!

Andrew

woodcock · ‎03-29-2017

If you need to turn a carefully constructed string of text into "fake" events, check out this Q&A which describes exactly this:

https://answers.splunk.com/answers/265921/what-is-the-best-way-to-spoof-run-anywhere-fake-da.html#an...

View solution in original post

woodcock · ‎03-29-2017

If you need to turn a carefully constructed string of text into "fake" events, check out this Q&A which describes exactly this:

https://answers.splunk.com/answers/265921/what-is-the-best-way-to-spoof-run-anywhere-fake-da.html#an...

andrewtrobec · ‎04-03-2017

Perfect, thank you!

gfreitas · ‎03-29-2017

Hi, In this case you need to create a custom search command. You can find more information here: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2 and here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand

Can I run a search command on data that is not in an index?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor