Using external commands
The Splunk search language is extremely powerful, but at times, it may be either difficult or impossible to accomplish some piece of logic by using nothing but the search language. To deal with this, Splunk allows external commands to be written in Python. A number of commands ship with the product, and a number of commands are available in apps at http://splunk-base.splunk.com/.
Let's try out a few of the included commands. The documentation for the commands is included with other search commands at http://docs.splunk.com/. You can find a list of all included commands, both internal and external, by searching for All search commands. We will write our own commands in Chapter 12, Extending Splunk.
Extracting values from XML
Fairly often, machine data is written in XML format. Splunk will index this data without any issue, but it has no native support for XML. Though XML is not an ideal logging format, it can usually be parsed simply enough. Two commands are included...
