Extending SPL with

Custom Search Commands

Jacob Leverich | Director of Engineering

2017/08/11 | Washington, DC
 Forward-Looking Statements
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.

The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
 Who am I?

Splunker for 3 years, based in San Francisco

Engineering manager in Splunk’s Incubation team

Implemented Search Command Protocol Version 2

Die-hard Longhorns fan

3
 Agenda

Introduction to Custom Search Commands

How do Custom Search Commands work?
– High-level concepts
– Low-level details
Types of Search Commands
How to create new Custom Search Commands
Wrap-up

4
Introduction to
Custom Search
Commands
 What is a Custom Search Command?

A user-defined SPL command.

| search

7
8
 What is a Custom Search Command?

A user-defined SPL command.

Can be used to extend the SPL language!

 Who uses Custom Search Commands?

Partners
– Concanon, etc.

Customers
– Use-case specific analytics

Splunk!
– predict command
– IT Service Intelligence
– Enterprise Security
– DB Connect
– Machine Learning Toolkit

Anyone who wants to extend the Splunk platform

– Integration with 3rd party services
– Implementation of custom logic
 How do Custom
Search Commands
work?
 How do Custom Search Commands work?

1. When parsing SPL, splunkd interrogates each command.

“Are you a Custom Search Command?”

2. If so, spawn external process and allow it to parse arguments.

3. During search, pipe search results through external process.

12
 Parsing #1: Split search into commands
| inputlookup geo_attr_us_states.csv | GOCRAZY | head 5

inputlookup geo_attr_us_states.csv

GOCRAZY head 5

13
Parsing #2: Look for custom search commands
| inputlookup geo_attr_us_states.csv | GOCRAZY | head 5

commands.conf inputlookup geo_attr_us_states.csv

[gocrazy]
…

GOCRAZY head 5

14
 Parsing #3: Spawn external process
| inputlookup geo_attr_us_states.csv | GOCRAZY | head 5

inputlookup geo_attr_us_states.csv

GOCRAZY head 5

$SPLUNK_HOME/bin/python gocrazy.py

15
Parsing #4: Let external process parse arguments
| inputlookup geo_attr_us_states.csv | GOCRAZY | head 5

inputlookup geo_attr_us_states.csv

GOCRAZY head 5

$SPLUNK_HOME/bin/python gocrazy.py

16
Search: Pipe results through external process
| inputlookup geo_attr_us_states.csv | GOCRAZY | head 5

inputlookup geo_attr_us_states.csv

GOCRAZY head 5

$SPLUNK_HOME/bin/python gocrazy.py

17
 Recap: high-level concepts

Enable you to register new SPL commands, extend the language.

Allow you to intercept and modify search results during a search.

– CSV in ➞ CSV out

Implemented as a external process (i.e. a program you write).

– Typically written in Python.

18
 Custom Commands: low-level details

How results are exchanged between splunkd and external process

“Types” of search commands

19
 splunkd ⬌ custom command

There are two “protocols” for custom commands:

– Version 1, legacy protocol used by Intersplunk.py (available since Splunk 3.0)
– Version 2, new protocol used by Python SDK (available since 6.3)
– In both protocols, all communication over stdin/stdout

Version 2 protocol
– Spawns external process once, streams results through chunk by chunk
– Simple commands.conf configuration
ê “chunked=true”
– Support for platform-specific programs

Version 1 protocol
– Spawns external process for each chunk of search results (!)
– “Transforming” commands limited to 50,000 events

20
 Search Command protocol comparison
Protocol APIs Performance Scalability Simple Platform- Programming
configuration specific languages
programs

Version 1 Intersplunk.py, Python

(legacy) Python SDK ✘ ✘ ✘ ✘
Version 2 Python SDK Python,
✔ ✔ ✔ ✔ arbitrary
binaries

21
 Search Command Protocol Version 2

• Transaction-oriented
• splunkd sends a command, external process responds with reply

• Simple bi-directional transport protocol:

• ASCII transport header
• JSON metadata payload
• CSV search results payload

• Every search starts with a “getinfo” command (capability exchange)

• Subsequently, issues “execute” commands with search results

22
 Transport “chunk”
Metadata length Data length

chunked 1.0, 22, 54 Transport header

{“action”: “execute”} Metadata (JSON)
_raw,a,b,c
hello,0,1,2 Data payload (CSV)
everyone,3,4,5
howareyou,6,7,8
 Example: GOCRAZY
| inputlookup geo_attr_us_states.csv | head 5 | GOCRAZY

chunked 1.0,22,106 chunked 1.0,18,106

{“action”: “execute”} {“finished”: true}
state_code,state_fips,state_name dste_aecot,pste_asfit,mste_aenat
AL,01,Alabama $SPLUNK_HOME/bin/python LA,10,aaalbmA
AK,02,Alaska gocrazy.py KA,20,laaskA
AZ,04,Arizona ZA,40,iaorznA
AR,05,Arkansas RA,50,Akaasnsr
CA,06,California AC,60,iCifolarna

24
 Protocol Version 2: Transaction timeline

splunkd external process

“What kind of command
are you?”
“Hey! I’m a
streaming command!”
time

… ✘
25
 “getinfo” command

Metadata in the getinfo command sent by splunkd:

– Command arguments
– Full SPL query string
– Execution context (app, user)
– Search sid
– splunkd URI and auth token (for making REST requests)

Metadata in the custom command’s reply:

– Type of search command (streaming/stateful/reporting/etc.)
– Which fields splunkd should extract (required fields)
– Whether or not it generates results (e.g. must be first search command)

26
 Sample “getinfo” metadata
{
"action": "getinfo",
"streaming_command_will_restart": false,
"searchinfo": {
"earliest_time": "0",
"raw_args": [
"LinearRegression", "petal_length", "from", "petal_width”
],
"session_key": "...",
"maxresultrows": 50000,
"args": [
"LinearRegression", "petal_length", "from", "petal_width”
],
"dispatch_dir": "/Users/jleverich/builds/conf_mlapp_demo/var/run/splunk/dispatch/1475007525.265",
"command": "fit",
"latest_time": "0",
"sid": "1475007525.265",
"splunk_version": "6.5.0",
"username": "admin",
"search": "%7C%20inputlookup%20iris.csv%20%7C%20fit%20LinearRegression%20petal_length%20from%20petal_width",
"splunkd_uri": "https://127.0.0.1:8090",
"owner": "admin",
"app": "Splunk_ML_Toolkit”
},
"preview": false
}
 “execute” command

Metadata in execute command sent by splunkd

– Whether or not preceding commands are “finished”

Metadata in the custom command’s reply:

– Whether or not this command is “finished”

splunkd and search commands negotiate completion of search

– Both must indicate “finished” = True

28
Types of Search
Commands
 Types of Search Commands

“Streaming” commands

“Stateful Streaming” commands

“Transforming” commands
– “Events” commands
– “Reporting” commands
 “Streaming” commands

Process search results one-by-one

– Can’t maintain global state
– Must not re-order search results

Eligible to run at Indexers

– Can run in parallel on Indexers

Examples:
– eval
– where
– rex
 “Streaming” command example
Remote results
... | eval foo=“bar” | ...

field_A field_B field_C foo Indexers

the jumps dog bar
Final search results
field_A field_B field_C foo field_A field_B field_C foo
quick over oops bar the jumps dog bar
quick over oops bar
field_A field_B field_C foo brown the too bar
brown the too bar Search fox lazy many bar
head

field_A field_B field_C foo

fox lazy many bar

32
 “Stateful Streaming” commands

Process search results one-by-one

– Can maintain global state
– Must not re-order search results

Only run at Search Head

Examples:
– accum
– streamstats
– dedup
 “Stateful Streaming” command example
... | accum foo | ...

field_A field_B field_C foo field_A field_B field_C foo

the jumps dog 1 the jumps dog 1
quick over oops 1 quick over oops 2
brown the too 1 brown the too 3
fox lazy many 1 fox lazy many 4

34
 “Events” commands

Process search results as a whole

– May re-order search results
– Typically maintain all fields in each event, especially:
ê _raw, _time, index, sourcetype, source, host

Only run at Search Head

May run several times for “preview”

Examples:
– sort
– eventstats
 “Events” command example
... | sort field_A | ...

field_A field_B field_C foo field_A field_B field_C foo

the jumps dog 1 brown the too 3
quick over oops 2 fox lazy many 4
brown the too 3 quick over oops 2
fox lazy many 4 the jumps dog 1

36
 “Reporting” commands

Process search results as a whole

– Typically transform the results (e.g. aggregate, project, summarize, etc.)

Only run at Search Head

May run several times for “preview”
Results show up in the “Statistics” tab

Examples:
– stats
– timechart
– transpose
 “Reporting” command example
... | stats count | ...

field_A field_B field_C foo

the jumps dog 1
count
quick over oops 2
4
brown the too 3
fox lazy many 4

38
 Beware of large result sets!

“Events” and “Reporting” commands process results as a whole.

– May contain 1,000,000s of search results!
– Write Streaming or Stateful commands instead when possible.

Build-in capacity limits, or spill results to disk when necessary.

39
 Streaming “pre-op”

Commands may specify a “pre-op” to prepend in SPL

... | stats count | ... ... | prestats count | stats count | ...

Communicated to splunkd in getinfo metadata (streaming_preop)

Useful to parallelize computation, reduce volume of data transfer
Must be “Streaming” (i.e., may run at Indexers)

40
Implementing Custom
Search Commands
with the Splunk SDK
for Python

41
 Basic steps to create a search command

1. Create an “App”
2. Deploy the Python SDK for Splunk in the bin directory
3. Write a script for your Custom Search Command
4. Register your command in commands.conf
5. Restart Splunk Enterprise
6. (optional) Export the command to other apps
Create an “App”

43
Deploy the Python SDK in the bin directory

cd $SPLUNK_HOME/etc/apps/MyNewApp/bin

pip install -t . splunk-sdk

44
Write a script for your Custom Search Command

$SPLUNK_HOME/etc/apps/MyNewApp/bin/foobar.py
import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration

@Configuration()
class FoobarCommand(StreamingCommand):
def stream(self, records):
for record in records:
record['foo'] = 'bar'
yield record

if __name__ == "__main__":
dispatch(FoobarCommand, sys.argv, sys.stdin, sys.stdout, __name__)

45
 Register your command in commands.conf

$SPLUNK_HOME/etc/apps/MyNewApp/default/commands.conf
[foobar]
chunked=true
# filename=foobar.py ## <--- optional

46
 Restart Splunk Enterprise

$SPLUNK_HOME/bin/splunk restart

47
Export to other apps (optional)

48
Export to other apps (optional)

49
Export to other apps (optional)

50
 Example Streaming Command

$SPLUNK_HOME/etc/apps/MyNewApp/bin/exstream.py
import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration

@Configuration()
class ExStreamCommand(StreamingCommand):
def stream(self, records):
for record in records:
record['foo'] = 'bar'
yield record

if __name__ == "__main__":
dispatch(ExStreamCommand, sys.argv, sys.stdin, sys.stdout, __name__)

51
 Example Stateful Streaming Command

$SPLUNK_HOME/etc/apps/MyNewApp/bin/exstateful.py
import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration

@Configuration(local=True)
class ExStatefulCommand(StreamingCommand):
def stream(self, records):
for record in records:
record['foo'] = 'bar'
yield record

if __name__ == "__main__":
dispatch(ExStatefulCommand, sys.argv, sys.stdin, sys.stdout, __name__)

52
 Example Events Command

$SPLUNK_HOME/etc/apps/MyNewApp/bin/exevents.py
import sys
from splunklib.searchcommands import dispatch, EventingCommand, Configuration

@Configuration()
class ExEventsCommand(EventingCommand):
def transform(self, records):
l = list(records)
l.sort(key=lambda r: r['_raw'])
return l

if __name__ == "__main__":
dispatch(ExEventsCommand, sys.argv, sys.stdin, sys.stdout, __name__)

53
 Example Reporting Command
$SPLUNK_HOME/etc/apps/MyNewApp/bin/exreport.py
import sys
from splunklib.searchcommands import dispatch, ReportingCommand, Configuration

@Configuration()
class ExReportCommand(ReportingCommand):
@Configuration()
def map(self, records):
return records

def reduce(self, records):

count = 0
for r in records:
count += 1
return [{'count': count}]

if __name__ == "__main__":
dispatch(ExReportCommand, sys.argv, sys.stdin, sys.stdout, __name__)
54
 A little advice

Custom commands are programs that run on Splunk instances

– BEWARE UNVALIDATED INPUT!
– Sanitize user arguments AND search results

Use role-based access control to

restrict access

Be prepared to handle 1,000,000s

of events

Be excellent to each other.

55
 What Now?

https://github.com/splunk/splunk-sdk-python
– https://github.com/splunk/splunk-sdk-python/tree/master/examples/searchcommands_app

Dev Portal Documentation

– http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Contact: Developer Ecosystem Team <[email protected]>

56
 © 2017 SPLUNK INC.

Thank You
Don't forget to rate this session in the
.conf2017 mobile app
Q&A
Backup Slides
Streaming Commands only serialize required fields

{“required_fields”: [“fieldX”], …}

Internal result set External result set

_raw,_time,_cd,_indextime,...,fieldX _chunked_idx,fieldX
a,1400000000,x:y,1400000010,...,BOB 0,BOB
a,1400000001,x:y,1400000011,...,JIM 1,JIM
a,1400000002,x:y,1400000012,...,BOB 2,BOB
a,1400000003,x:y,1400000013,...,JIM 3,JIM
a,1400000004,x:y,1400000014,...,JIM 4,JIM
a,1400000005,x:y,1400000015,...,BOB 5,BOB
a,1400000006,x:y,1400000016,...,JIM 6,JIM
a,1400000007,x:y,1400000017,...,BOB 7,BOB
a,1400000008,x:y,1400000018,...,BOB 8,BOB
a,1400000009,x:y,1400000019,...,JIM 9,JIM
 “Right outer-join” on required fields

Result set

• Supports
In splunkd To external process – Removing events
– Adding events

New field
Slice
+ – Editing fields
idx

idx
Result set
– Adding fields
• Can’t re-order events

New field
Result set
 Performance comparison
2.5 million events
180
160
140
Runtime (seconds)

120
100
Splunk
80 Protocol v1
60 Protocol v2

40
20
0
Echo Echo (CSV) Echo | where
(selected)
 “Streaming” command example
... | eval foo=“bar” | ...

field_A field_B field_C field_A field_B field_C foo

the jumps dog the jumps dog bar
quick over oops quick over oops bar
brown the too brown the too bar
fox lazy many fox lazy many bar

63