- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Custom Command to append to search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently I am trying to write a python script that I can use to permute the input. I then wish to use this as a command to generate my output.
What I want from the search app:
Run search "host=
Then my permute script will return "123 OR 132 OR 213 OR 231 OR 312 OR 321" so that my final search will be "host=
Is this sort of thing possible? I have been working on developing a view for an app to execute this in. My idea was to run the permute with the input given from a text field and then put the results of the permute into the next search. I have looked through many of the Splunk documentation and forums and cannot figure out what to do. I though $results$ would give me the results of the first search but this has not worked. Any ideas? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think so. See this search reference for calling scripts in searches:
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/script
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't want to pipe all those results you don't need to the command, a subsearch makes more sense in this context, e.g.:
host=* [permute 123]
This would be a generating command:
http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/SearchScripts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think so. See this search reference for calling scripts in searches:
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/script
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I ended up making a script for search, and put it in $SPLUNK_HOME/etc/apps/search/bin. Then added the command to $SPLUNK_HOME/etc/apps/search/local/commands.conf
I run a search such as:
host=* | permute 123
Then my script takes all of the results from host=* and searches them for all combinations of 123, 132, etc. and prints them out to the results in splunk. One important thing to note was that I had to set retains events to true in commands.conf for the results to show in Splunk with all of the preprocessed fields that I wanted.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
