Writing commands
To augment the built-in commands, Splunk provides the ability to write commands in Python and Perl. You can write the commands to modify events, replace events, or even dynamically produce events.
When not to write a command
While external commands can be very useful, if the number of events to be processed is large, or if performance is a concern, it should be considered a last resort. You should make every effort to accomplish the task at hand using the search language built into Splunk, or other built-in features. For instance, if you need:
Regular expressions—learn to use
rex,regex, and extracted fieldsTo calculate a new field, or modify an existing field—look into
eval(search forsplunk eval functionswith your favorite search engine)To augment your results with external data—learn to use lookups , which can also be a script, if need be
To read external data that changes periodically—consider using
inputcsv
The performance issues introduced by external commands come from...
