Tips & Tricks:

Write your own search language

Splunk provides many power search commands — such as sort, fields, transactions — but even better, it allows you to expand things anyway you want, by writing your own search commands.

I’ll show you how to write your own search command.

Suppose you want to make a new “shape” command in python that returns the shape of an event — tall, short, thin, wide, etc. There are just three simple steps:

  • Step 1) Tell splunk about this external command in commands.conf…
[shape]
filename = shape.py
  • Step 2) Authorize users to run this command in authorize.conf…
[capability::run_script_shape]
[role_User]
run_script_shape = enabled
  • Step 3) Write the code! Here is shape.py…
   import splunk.Intersplunk 

   def getShape(text):
        description = []
        linecount = text.count("\n") + 1
        if linecount > 10:
            description.append("tall")
        elif linecount > 1:
            description.append("short")
        avglinelen = len(text) / linecount
        if avglinelen > 500:
            description.append("very_wide")
        elif avglinelen > 200:
            description.append("wide")
        elif avglinelen < 80:
            description.append("thin")
        if text.find("\n ") >= 0 or text.find("\n\t") >= 0:
            description.append("indented")
        if len(description) == 0:
            return "normal"
        return "_".join(description)            

   # get the previous search results
   results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults()
   # for each results, add a 'shape' attribute, calculated from the raw event text
   for result in results:
        result["shape"] = getShape(result["_raw"])
   # output results
   splunk.Intersplunk.outputResults(results)

It works! Show me the top shapes among events with more than one line…

$ splunk search "linecount>1 | shape | top shape"
shape                count  percent
-------------------  -----  ---------
tall_indented           43  43.000000
short_indented          29  29.000000
tall_thin_indented      15  15.000000
short_thin_indented     10  10.000000
short_thin               3   3.000000

Just to review, here are the files we made…

    apps/example/bin/shape.py
apps/example/default/authorize.conf
apps/example/default/commands.conf

Now go out there and make cool extensions to Splunk!

1
August 29, 2008
Posted by David Carasso in Tips & Tricks

Brief update for Splunk 4.0…

1) you do not need to do Step 2. You need to make no changes to authorize.conf.

2) do not name your search command the name of an existing command. In 4.0 there is already a “shape” command, so in the above example, change the name from “shape” to something else.

David Carasso
February 18, 2010

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*