Create a custom search command

Create a custom search command to extend the Splunk Search Processing Language (SPL) to address your specific use case.

Prerequisites
To create a custom search command, you need the following prerequisites.

  • Splunk Enterprise version 6.3 or later.

    Use an installation of Splunk Enterprise on a single-instance development environment, such as a laptop. For more information about supported computing environments, see System requirements for use of Splunk Enterprise on-premises in the Installation Manual.

  • The Splunk SDK for Python.

    To download the SDK, see Overview of the Splunk SDK for Python.

  • A plan for your command.

    Determine the type of command you want to create based on the calculations you need to perform.

Steps

  1. Create an app for your custom search command.

    For instructions on how to create apps in Splunk, see Create a Splunk app.

  2. Install the Splunk SDK for Python in your app.

    Inside the root directory of your app, create a lib directory. For example, create a lib directory in $SPLUNK_HOME/etc/apps/<app_name>.

    Next copy and paste the /splunklib directory from the SDK into the lib directory that you created. For example, copy the /splunklib directory into $SPLUNK_HOME/etc/apps/<app_name>/lib.

  3. Write the script for your custom search command.

    Write the script in a Python (.py) file and save it in the bin directory of your app. Use the templates and classes from the Splunk SDK for Python.

    For more information about these templates, see Templates.
    For the Python classes, see Python classes for custom search commands.
    For examples of custom search commands for each command type, see Custom search command examples.

  4. Create a commands.conf file to register your search command.

    Create a commands.conf file in the default directory of your app. For example, create commands.conf in $SPLUNK_HOME/etc/apps/<app_name>/default.

    After you create the file, open it in a text editor. Then add a stanza for your command. Include the line chunked=true. This line streams your search results through the Splunk data pipeline in chunks. Next add a line to specify your Python file in the filename attribute.

    For example, add the following stanza to $SPLUNK_HOME/etc/apps/<app_name>/default/commands.conf.
    [foo]
    chunked=true
    filename=foo.py
    

  5. Enable search assistant text for your command.

    Create a searchbnf.conf file in the default directory of your app. For example, create searchbnf.conf in $SPLUNK_HOME/etc/apps/<app_name>/default.

    After you create the file, open it in a text editor. Then add a stanza for your command. Include the syntax, short description, and usage for the command.

    For example, add the following stanza to $SPLUNK_HOME/etc/apps/<app_name>/default/searchbnf.conf.
    [foo-command]
    syntax = [foo]
    shortdesc = [a brief description of your command]
    usage = public
    


    Next set the export=system parameter in the default.meta file to enable the searchbnf.conf file.

    For example, add the following stanza to the default.meta file in $SPLUNK_HOME/etc/apps/<app_name>/metadata/default.meta.
    [searchbnf]
    export = system
    

  6. Restart Splunk Enterprise.

    For information on how to restart Splunk Enterprise, see Start and Stop Splunk Enterprise in the Admin Manual.

Next Steps

Now that you've created your command, see Package and deploy a custom search command.