Databases Reference
In-Depth Information
•
enableheader = true
: By default, your script will receive a header that
the Splunk Python modules know how to use. If this is set to
false
, your
command will receive plain CSV.
•
run_in_preview = true
: By default, your command will be executed
repeatedly while events are being retrieved, so as to update the preview in
the GUI. This will have no effect on saved searches, but setting this to
false
can make a big difference in performance for interactive searches. This is
particularly important if your command uses an external resource, as it will
be called repeatedly.
•
local = false
: If you have a distributed environment, by default, your
command will be copied to all indexers and executed there. If your command
needs to be run on one machine, setting
local=true
will ensure the
command only runs on the search head.
•
retainsevents = false
: By default, Splunk assumes that your command
returns the transformed events, much like
stats
or
timechart
. Setting this
to
true
will change the behavior to treat the results as regular events.
To make our commands available to other apps, for instance
Search
, we need to
change the metadata in our app. Place the following two lines in the file
metadata/
default.meta
:
[commands]
export = system
Finally, to use a newly configured command, we either need to restart Splunk or
load the URL
http://yourserver/debug/refresh
in a browser. This may also
be necessary after changing settings in
commands.conf
, but is not necessary after
making changes to the script itself.
Adding fields
Let's start out with a simple command that does nothing more than add a field to
each event. This example is stored in
ImplementingSplunkExtendingExamples/
bin/addfield.py
:
#import the python module provided with Splunk
import splunk.Intersplunk as si
#read the results into a variable
results, dummyresults, settings = si.getOrganizedResults()
Search WWH ::
Custom Search