Splunk - Basic Custom Search Command Example

Basic Custom Search Command Example(s)

Executing an arbitrary shell script w/o parameters

For this exercise, we will be executing a very basic script with no Splunk parameters. The purpose of this is to execute a python/shell script. You could just execute a shell script directly, but in the likely chance that you will eventually pass data/query, I'm using Python to execute a shell script.

• Create your test script in /$SPLUNKHOME/etc/apps/<appname>/bin/test.py
• Example test.py code:

import os

os.system("(cd /splunkscripts/; ./test.sh)")

• This navigates to a directory I created at the root directory called "splunkscripts" where I house all of the various scripts I use related to Splunk. It then executes test.sh.
• Example test.sh code:

echo "This is a successful test." > splunktest.txt

• This will echo this "Hello World" test to splunktest.txt. 
• Make sure both scripts (test.py and test.sh) are executable via chmod (i.e. chmod 755 )
• Edit your /$SPLUNKHOME/etc/apps/<appname>/local/commands.conf with the following:

[shelltest]

type = python

filename = test.py

generating = false

streaming = false

retainsevents = false

• Note: Generating/Streaming/Retainsevents all default to false, but for real world uses you will likely end up generating results. Be aware of these. Read the Splunk docs on custom searches as well: http://docs.splunk.com/Documentation/Splunk/latest/Search/Customsearchcommandexample 
• Restart Splunk.
• Go to your appropriate Splunk app where you stored this script and search: | shelltest
• Navigate to /splunkscripts/ and see if your test.sh wrote out the data to the splunktest.txt.
• If you get an "Error Code 1", then there is an issue with your Python/Shell code.