Create and apply a custom command function for the Ingest Processor solution
Create custom command functions in Search Processing Language Version 2 (SPL2) and apply them to new or existing pipelines. Custom command functions are user-defined to reuse common data transformations between multiple pipelines. For example, if you process the same sourcetype in multiple pipelines, use a custom command function to extract fields instead of copying and pasting code between pipelines.
Steps to create and publish a custom command function
To create and publish a custom command function, see the following steps:
- On the Data Management homepage, select Shared workspaces. From there, select the shared workspace where you would like to locate your custom command function. It needs to be a workspace that you created.
- Select New, and then select Module.
- Write your custom command function in SPL2. Both the source and the return type have to be dataset. For more information on SPL2, see SPL2 Command Quick Reference in the SPL2 Search Reference.
See the following custom command function example in SPL2:
/** * This is a custom command function that takes one argument * @param $source * @param $arg - description of arg */ function command_function_with_argument($source:dataset, $arg:string):dataset { return | from $source | eval tag = "Has run command_function_with_argument with ${$arg}"; } export command_function_with_argument - Export your module by adding the line export [name of your function]. As a shortcut, select the three dots (⋮) next to the custom command function's name in the outline, and then select export. This will add the line for you. See Exporting module items using SPL2 in the SPL2 Search Manual for more information.
- Select Save module, give your module a name, and then select Save.
- Select Publish. This custom command function can now be discovered by you and others with access to your shared workspace.
Apply a custom command function to a pipeline
You can discover custom command functions and apply them to your pipelines once a custom command function has been published by you or a colleague. You both need to be members of the same shared workspace.
Apply a custom command function to an existing pipeline
You can discover custom command functions and apply them to your pipelines once a custom command function has been published by you or a colleague. You both need to be members of the same shared workspace.
To apply a custom command function to an existing pipeline, see the following steps. These steps work for both the Edge Processor solution and the Ingest Processor solution:
-
Navigate to the Pipelines page.
-
Select the three dots (⋮) in the row that lists your pipeline, and then select Edit. This will take you to the pipeline editor for that pipeline.
-
Select the Actions icon (
) and select Apply custom command function.
-
Search for the name of your custom command function, and view its documentation. Specify parameters values for the selected custom command function as necessary.
-
Select Apply.
Apply a custom command function to a new pipeline
You can use a custom command function in a new pipeline before it has been saved. See the following steps:
-
Navigate to the Pipelines page, then select New pipeline and then Ingest Processor pipeline.
-
Follow the on-screen instructions until you get to the SPL2 editor. For more information, if you are using the Edge Processor solution, see the steps in Create pipelines for Edge Processors in the Use Edge Processors manual. For the Ingest Processor solution, see the steps in Create pipelines for Ingest Processor in the Use Ingest Processors manual.
-
Select the Actions icon (
) and select Apply custom command function.
-
Search for the name of your custom command function, and view its documentation. Specify parameters values for the selected custom command function as necessary.
-
Select Apply.