Let's start out with a simple command that does nothing more than add a field to each event. This example is stored in ImplementingSplunkExtendingExamples/bin/addfield.py:
#import the python module provided with Splunk import splunk.Intersplunk as si #read the results into a variable results, dummyresults, settings = si.getOrganizedResults() #loop over each result. results is a list of dict. for r in results: #r is a dict. Access fields using the fieldname. r['foo'] = 'bar' #return the results back to Splunk si.outputResults(results)
Our corresponding stanza in commands.conf is as follows:
[addfield] filename = addfield.py streaming = true retainsevents = true
We can use this command as follows:
* | head 10 | addfield | top foo
This gives us the result shown in the following screenshot:
This could be accomplished much more efficiently by simply using eval foo="bar", but this illustrates the basic structure of a command.