It is useful, at times, to modify the value of a field, particularly _raw. Just for fun, let's reverse the text of each event. We will also support a parameter that specifies whether to reverse the words or the entire value. You can find this example in ImplementingSplunkExtendingExamples/bin/reverseraw.py:
import splunk.Intersplunk as si
import re
#since we're not writing a proper class, functions need to be
#defined first
def reverse(s):
return s[::-1]
#start the actual script
results, dummyresults, settings = si.getOrganizedResults()
#retrieve any options included with the command
keywords, options = si.getKeywordsAndOptions()
#get the value of words, defaulting to false
words = options.get('words', False)
#validate the value of words
if words and words.lower().strip() in ['t', 'true', '1', 'yes']:
words = True
else:
words = False
#loop over the results
for r in results:
#if the words option is true, then reverse each word
if words:
newRaw = []
parts = re.split('([^a-zA-Z']+)', r['_raw'])
for n in range(0, len(parts) - 2, 2):
newRaw.append(reverse(parts[n]))
newRaw.append(parts[n + 1])
newRaw.append(reverse(parts[-1]))
r['_raw'] = ''.join(newRaw)
#otherwise simply reverse the entire value of _raw
else:
r['_raw'] = reverse(r['_raw'])
si.outputResults(results)
The commands.conf stanza would look as follows:
[reverseraw]
filename = reverseraw.py
retainsevents = true
streaming = true
Let us assume the following event:
2012-10-27T22:10:21.616+0000 DEBUG Don't worry, be happy.
[user=linda, ip=1.2.3., req_time=843, user=extrauser]
Using our new command, we get the following line of code:
* | head 10 | reverseraw
Upon running the previous command on the preceding event, we see the entire event reversed, as shown in the following code:
]resuartxe=resu ,348=emit_qer ,.3.2.1=pi ,adnil=resu[ .yppah eb ,yrrow t'noD GUBED 0000+616.12:01:22T72-01-2102
We can then add the words argument:
* | head 10 | reverseraw words=true
We will maintain the order of words, as shown in the following code:
2012-10-27T22:10:21.616+0000 GUBED t'noD yrrow, eb yppah. [resu=adnil, pi=1.2.3., qer_emit=843, resu=resuartxe]
For fun, let's reverse the event again:
* | head 10 | reverseraw words=true | reverseraw
This gives us the following output:
]extrauser=user ,348=time_req ,.3.2.1=ip ,linda=user[ .happy be, worry Don't DEBUG 0000+616.12:01:22T72-01-2102
happy be, worry Don't—Yoda could not have said it better.