To augment the built-in commands, Splunk provides the ability to write commands in Python and Perl. You can write the commands to modify events, replace events, or even dynamically produce events.
While external commands can be very useful, if the number of events to be processed is large, or if performance is a concern, it should be considered a last resort. You should make every effort to accomplish the task at hand using the search language built into Splunk, or other built-in features. For instance, if you need:
Regular expressions—learn to use
rex
,regex
, and extracted fieldsTo calculate a new field, or modify an existing field—look into
eval
(search forsplunk eval functions
with your favorite search engine)To augment your results with external data—learn to use lookups , which can also be a script, if need be
To read external data that changes periodically—consider using
inputcsv
The performance issues introduced by external commands come from...