Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I get this error when I try to use my custom search command: "Search Factory: Unknown search command"

thisissplunk
Builder
‎11-03-2017 04:59 PM

I installed my custom search command by following this guide: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Basically the steps are:
1. Create your script
2. Install it into your app's bin directory
3. Edit the app's commands.conf file
4. Restart splunk

I did this, and this worked on an older instance of splunk we have, which is just a searchead and indexer all-in-one. However, on our new clustered instance I'm getting the error in the title from all of the peers when I try to invoke the command.

Is there another step here for clustered environments or something? I installed it on the search head and restarted splunk enterprise from the CLI there. It seems like the indexers aren't getting the file or something. This is a streaming command as well.

Edit: The command works fine when local = true in the commands.conf. However I do not want this. It must be some kind of replication or bundle issue then, right?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thisissplunk
Builder
‎11-03-2017 06:44 PM

Seems like it's a bug related to older search commands and deploying them with bundles on 6.5 and above: https://answers.splunk.com/answers/507618/unknown-search-command-base64.html

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thisissplunk
Builder
‎11-03-2017 06:44 PM

Seems like it's a bug related to older search commands and deploying them with bundles on 6.5 and above: https://answers.splunk.com/answers/507618/unknown-search-command-base64.html

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎11-04-2017 08:05 AM

i’m not sure its a bug or just a behavioural change..i worked with another dev with custom command, and it just seems the “new way” is to deploy ur app to the sh AND the index peers. I chalked it up to bundle enhancements but will try and circle back on it

- MattyMo
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...