Databases Reference
In-Depth Information
#loop over each result. results is a list of dict.
for r in results:
#r is a dict. Access fields using the fieldname.
r['foo'] = 'bar'
#return the results back to Splunk
si.outputResults(results)
Our corresponding stanza in
commands.conf
is as follows:
[addfield]
filename = addfield.py
streaming = true
retainsevents = true
We can use this command as follows:
* | head 10 | addfield | top foo
This gives us the result shown in the following screenshot:
This could be accomplished much more efficiently by simply using
eval foo="bar"
,
but this illustrates the basic structure of a command.
Manipulating data
It is useful at times to modify the value of a field, particularly
_raw
. Just for fun,
let's reverse the text of each event. We will also support a parameter that specifies
whether to reverse the words or the entire value. You can find this example in
ImplementingSplunkExtendingExamples/bin/reverseraw.py
:
import splunk.Intersplunk as si
import re
#since we're not writing a proper class, functions need to be
#defined first
def reverse(s):
return s[::-1]
#start the actual script
Search WWH ::
Custom Search