I am using Python SDK. Watch "self.fieldname" routine. My command will have one argument - existing field from previous search (message_subject). With the code below I was successfull passing value from any field I add as an argument to SPL commmand: e.g. "| mimedecode message_subject" I got inspiration from: https://docs.splunk.com/DocumentationStatic/PythonSDK/1.6.0/searchcommands.html class decodemimeCommand(StreamingCommand):
def stream(self, records):
# get the argument - fieldname with mime-encoded string
message_subject = self.fieldnames[0]
for record in records:
record['message_subject_decoded'] = main(record[message_subject])
yield record
if __name__ == "__main__":
dispatch(decodemimeCommand, sys.argv, sys.stdin, sys.stdout, __name__)
... View more