Splunk Search

Trying out on custom command search

sarahh
Engager

Hello,

I've entered "print 'Hello World'" in helloworld.py file for custom command. I also added authorize.conf & commands.conf into $SPLUNK_HOME\etc\system\local\ directory with the stanzas needed and thereafter restarted Splunk. However, when I typed "|helloworld" into the search bar, "Hello World" didnt get printed out onto the screen. What should i do?

Thanks in advance. 🙂

Tags (3)
0 Karma
1 Solution

jonuwz
Influencer

Take a look in etc/apps/search/bin/gentimes.py for an example of a "generating" custom command.

Just putting "print 'Hello World'" into the file is not going to work.

You need to generate a "results" array containing the field/values for each of the columns, then pass it back.

helloworld.py

import re,sys,time, splunk.Intersplunk

def hello(results, settings):
    results = []
    result = {}
    result['string'] = "Hello World"
    results.append(result)
    return results

results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
results = hello(results, settings)
splunk.Intersplunk.outputResults(results)

commands.conf

[helloworld]
filename = helloworld.py
generating = true
supports_rawargs = true

View solution in original post

jonuwz
Influencer

Take a look in etc/apps/search/bin/gentimes.py for an example of a "generating" custom command.

Just putting "print 'Hello World'" into the file is not going to work.

You need to generate a "results" array containing the field/values for each of the columns, then pass it back.

helloworld.py

import re,sys,time, splunk.Intersplunk

def hello(results, settings):
    results = []
    result = {}
    result['string'] = "Hello World"
    results.append(result)
    return results

results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
results = hello(results, settings)
splunk.Intersplunk.outputResults(results)

commands.conf

[helloworld]
filename = helloworld.py
generating = true
supports_rawargs = true

sarahh
Engager

i see. thanks!! great help. 🙂

0 Karma

jonuwz
Influencer

Result is a row, results is all the rows.

sarahh
Engager

Oh... why is there "result" and "results"?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...