Create a Custom App in Splunk Enterprise — Custom Commands in Python

Let us extend Splunk Enterprise using Python and Splunk SDK libraries.

Splunk is already rich in commands and modules. Always it is best to explore the already existing options before attempting to build your custom command modules.

Let us see why would we need to create custom commands. During my interactions with a client, there was a need to geolocate IP addresses and insert additional fields in the event. This is this good use case we will explore here.

This demo will show you how you can read a field value and then manipulate it and insert it as an extra field.

First, you need to visit the Splunk UI and create an app.

Follow the below screenshots.

Give it permissions.

Here is how it looks in the apps listing view.

Now, login to the Splunk server and cd into the apps folder to see our custom app MyCommand listed.

This is the file and folder structure of the app.

cd into MyCommand/bin folder and install the Splunk SDK using the pip command.

cd MyCommand/bin
pip install -t . splunk-sdk

Create the Python Script mycommand.py

In the above script I am inserting a new field called hello with a value world.

import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration
@Configuration()
class MyCommand(StreamingCommand):
def stream(self, records):
for record in records:
record['hello']='world'
yield record
if __name__ == "__main__":
dispatch(MyCommand, sys.argv, sys.stdin, sys.stdout, __name__)

Let us now resister the above script as a command

cd etc/apps/MyCommand/default
nano mycommand.py
[mycommand]
chunked=true
filename=mycommand.py

Restart Splunk

sudo ./bin/splunk restart

Testing Time

First let us confirm if a normal search is working using the tutorial data.

Now, let us using our custom command: mycommand

YES! We can see the new field hello with value world!

We can see that the field is present in all the events.

Additional experiments! How to read a field and append.

Extending this further, we can call external API endpoints to geo-decode an IP address etc.

All the best spelunking!

Connecting SMEs (Subject Matter Experts) to businesses who need Help with Microservices, Machine Learning, Cloud, IaC, and DevOps and Training