Sure.. I have the following in my commands.conf (located in SPLUNK_HOME/etc/apps/MYAPP/local)
[tkntest]
type = python
filename = tkntst.py
supports_getinfo = false
supports_rawargs = true
passauth = true
enableheader = true
outputheader = true
requires_srinfo = true
support_multivalues = true
tkntst.py (located in SPLUNK_HOME/etc/apps/MYAPP/bin)
import sys, os, logging, csv
from logging.handlers import TimedRotatingFileHandler
splkhome = os.environ['SPLUNK_HOME']
splvar = os.path.join(splkhome, 'var', 'log', 'splunk', 'sctest.log')
### Set Logging
log = logging.getLogger('tkntst')
log.setLevel(logging.INFO)
formatter = logging.Formatter('%(asctime)s [%(levelname)s] %(message)s')
handler = logging.handlers.TimedRotatingFileHandler(splvar,when="d",interval=1,backupCount=1)
handler.setFormatter(formatter)
log.addHandler(handler)
try:
log.info('Search commnd initiated')
csvf = sys.stdin.readline().strip()
csvf = csvf.replace("infoPath:", "")
log.info('Successfully received csvf from Splunk %s' % csvf)
with open(csvf) as hfile:
reader = csv.DictReader(hfile)
for row in reader:
tkn = row['_auth_token']
log.info('Successfully received token from Splunk %s' % tkn)
except Exception, e:
log.error('Unable to get session %s' % str(e))
sys.exit()
Ran in search (MYAPP) "|tkntest"
tail /xxx/xxx/splunk/var/log/splunk/sctest.log
2016-03-01 16:58:31,932 [INFO] Search commnd initiated
2016-03-01 16:58:31,932 [INFO] Successfully received csvf from /xxx/xxx/splunk/var/run/splunk/dispatch/1456869511.102/eternSearchResultsInfo.csv
2016-03-01 16:58:31,933 [INFO] Successfully received token from Splunk Ps^29NN_8U3WSwXdlt897cDV8bsOwxsXfN9Tqv9ATql77OONJS6S6gGI9lq3vNSW5Szwc6ltPNjFhg9HADwwpGS72CMJFTqcktxgS^8t9mrbtYoKE1T7KN
Also since you have the splunklib... checkout this answer ... seems much simpler
... View more