Create a Custom App in Splunk Enterprise — Custom Commands in Python
Let us extend Splunk Enterprise using Python and Splunk SDK libraries.
Splunk is already rich in commands and modules. Always it is best to explore the already existing options before attempting to build your custom command modules.
Let us see why would we need to create custom commands. During my interactions with a client, there was a need to geolocate IP addresses and insert additional fields in the event. This is this good use case we will explore here.
This demo will show you how you can read a field value and then manipulate it and insert it as an extra field.
First, you need to visit the Splunk UI and create an app.
Follow the below screenshots.
Give it permissions.
Here is how it looks in the apps listing view.
Now, login to the Splunk server and cd into the apps folder to see our custom app MyCommand listed.
This is the file and folder structure of the app.
cd into MyCommand/bin folder and install the Splunk SDK using the pip command.
pip install -t . splunk-sdk
Create the Python Script mycommand.py
In the above script I am inserting a new field called hello with a value world.
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration
def stream(self, records):
for record in records:
if __name__ == "__main__":
dispatch(MyCommand, sys.argv, sys.stdin, sys.stdout, __name__)
Let us now resister the above script as a command
sudo ./bin/splunk restart
First let us confirm if a normal search is working using the tutorial data.
Now, let us using our custom command: mycommand
YES! We can see the new field hello with value world!
We can see that the field is present in all the events.
Additional experiments! How to read a field and append.
Extending this further, we can call external API endpoints to geo-decode an IP address etc.