https://community.splunk.com/t5/Splunk-Dev/Output-XML-via-a-custom-search-command/m-p/78626#M1118 <P>I'm working on a custom search command which will take the results of a search and create an XML output file. As a very simplified example, the search might look like this:</P> <PRE><CODE>source=a OR source=b | fields host, source, some_field | outputxml </CODE></PRE> <P>Within my search command, I read the results and aggregate all of the stuff into Python dicts (e.g. source[type]['total'] += 1, source[type][value] += 1, etc), and then attempt to write the results to a randomly named output file, where the XML would look something like:</P> <PRE><CODE>&lt;xml&gt; &lt;source type="syslog" total="2"&gt; &lt;some_field value="1" count="1"/&gt; &lt;some_field value="0" count="1"/&gt; &lt;/source&gt; &lt;source type="dhcp" total="1"&gt; &lt;some_field value="1" count="1"/&gt; &lt;source&gt; &lt;/xml&gt; </CODE></PRE> <P>However, I suppose due to map/reduce maybe, multiple output files are created with the results being spread among them. At least, I suppose that it would make sense to be a function of map/reduce, and actually rather cool to see in action.</P> <P>Is my analysis correct? If so, what is the best practice for handling this merging of results into a single, highly structured output file where order matters?</P> Sun, 10 Apr 2011 23:25:57 GMT mw 2011-04-10T23:25:57Z https://community.splunk.com/t5/Splunk-Dev/Output-XML-via-a-custom-search-command/m-p/78626#M1118 <P>I'm working on a custom search command which will take the results of a search and create an XML output file. As a very simplified example, the search might look like this:</P> <PRE><CODE>source=a OR source=b | fields host, source, some_field | outputxml </CODE></PRE> <P>Within my search command, I read the results and aggregate all of the stuff into Python dicts (e.g. source[type]['total'] += 1, source[type][value] += 1, etc), and then attempt to write the results to a randomly named output file, where the XML would look something like:</P> <PRE><CODE>&lt;xml&gt; &lt;source type="syslog" total="2"&gt; &lt;some_field value="1" count="1"/&gt; &lt;some_field value="0" count="1"/&gt; &lt;/source&gt; &lt;source type="dhcp" total="1"&gt; &lt;some_field value="1" count="1"/&gt; &lt;source&gt; &lt;/xml&gt; </CODE></PRE> <P>However, I suppose due to map/reduce maybe, multiple output files are created with the results being spread among them. At least, I suppose that it would make sense to be a function of map/reduce, and actually rather cool to see in action.</P> <P>Is my analysis correct? If so, what is the best practice for handling this merging of results into a single, highly structured output file where order matters?</P> Sun, 10 Apr 2011 23:25:57 GMT https://community.splunk.com/t5/Splunk-Dev/Output-XML-via-a-custom-search-command/m-p/78626#M1118 mw 2011-04-10T23:25:57Z https://community.splunk.com/t5/Splunk-Dev/Output-XML-via-a-custom-search-command/m-p/78627#M1119 <P>I would suggest that it might be easier to get what you want by calling the Splunk API:</P> <PRE><CODE>wget --no-check-certificate --user=admin --password=changeme -O - --post-data='search sourcetype%3Dmysourcetype | head 2&amp;exec_mode=oneshot' <A href="https://localhost:8089/services/search/jobs" target="test_blank">https://localhost:8089/services/search/jobs</A> </CODE></PRE> <P>There is also generally no need for you to worry about map-reduce. Splunk will take care of that. (It's possible to write map-reduceable search commands if you specify them as <CODE>streaming</CODE>, but converting CSV to XML and attempting to merge them in the reduce step is not an operation that will gain from what Splunk already does with the results.) So you can just worry about convert the CSV input to XML on a single node.</P> Mon, 11 Apr 2011 11:41:25 GMT https://community.splunk.com/t5/Splunk-Dev/Output-XML-via-a-custom-search-command/m-p/78627#M1119 gkanapathy 2011-04-11T11:41:25Z