- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search Command -> From Master Head
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search Command -> From Master Head
I have a set of custom search commands that can only be executed at the splunk indexer. I would like to enable the master head server to execute these commands from the master head server.
Is it possible?
From the indexer I execute the commands as follow without any problem:
|customsearch
If I try to run the command from the master head with query
splunk_server|customsearch
I get this error:
Search operation 'customsearch' is unknown. You might not have permission to run this operation.
This is my commands.conf example:
[customsearch]
filename = customsearch.py
generating = true
maxinputs = 1
supports_rawargs = true
Thanks,
Lp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the search command is supposed to run on the indexers, you need to put the .py file there as well. More info: http://splunk-base.splunk.com/answers/31681/custom-search-command-for-distributed-search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
I follow your instructions. I am able to run the command from the master head. When I run the command, it is executed and the pick fields are found in splunk UI but the query keeps running. If I run the command in the indexer the command completes without problem, the pick fields are found in splunk UI but I do not see any events. I can see the event if I use: |search_commnad|table *. If I remove streaming no problem in the local indexer. What could be wrong?
commands.conf
[cimidxfeed]
filename = cim_idx.py
generating = true
maxinputs = 1
supports_rawargs = true
streaming = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
afaik the search commands are not replicated. This is why you need to put them there manually.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. It worked.
How can I control the replication from the Master head to the indexers?
There are a set of indexers that I do not want to have the custom search commands
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
