https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105466#M1559 <P>You can't just call an arbitrary script in a search pipeline. The script must know how to accept Splunk pipeline inputs (unless it ignores them, which yours appears to do, so that's fine), but more importantly it must output them in the right format. As it turns out, the output format is a standard CSV file, including a header that specifies the field names. So basically you need to add a print for the CSV file header that matches the fields you're outputting. In general, you'll be a lot better off using the language-specific CSV libraries as well, rather than printing directly.</P> <P>Also, I imagine you understand that this computation can be done in Splunk search language directly and you're merely going through an exercise of getting a simple command to work.</P> Fri, 18 Oct 2013 05:36:33 GMT gkanapathy 2013-10-18T05:36:33Z https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105465#M1558 <P>I am trying to run a python script from Splunk which takes 3 arguments and then suppose to run calculations on those arguments and print the results into Splunk. But I am not getting any results back. There are about 100 events that I want to run the script on.</P> <P>Splunk command:</P> <P>... | script python amp2 macaddress timestamp numofaverages</P> <P>Values of arguments:</P> <P>macaddress=11:22:33:44:55:66<BR /><BR /> timestamp=123456789<BR /><BR /> numofaverages=1,2,3,4,5,6,7,8,9,10<BR /></P> <P>Below is the python script I am trying to run.</P> <P>import sys</P> <P>mac=sys.argv[1]<BR /><BR /> time=sys.argv[2]<BR /><BR /> avg=sys.argv[3]</P> <P>avg=avg.split(",")<BR /><BR /> avgmin=min(avg)<BR /><BR /> avgmax=max(avg)<BR /><BR /> count=len(avg)<BR /></P> <P>try:<BR /><BR /> &nbsp;avg=map(float, avg)<BR /><BR /> &nbsp;avgmean=round((sum(avg)/count),2)<BR /><BR /> except (NameError, ValueError):<BR /><BR /> &nbsp;avgmin="min"<BR /><BR /> &nbsp;avgmax="max"<BR /><BR /> &nbsp;count="bin count"<BR /><BR /> &nbsp;avgmean="mean"<BR /></P> <P>print(mac+","+time+","+avgmin+","+avgmax+","+str(avgmean)+","+str(count))</P> Fri, 18 Oct 2013 02:31:28 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105465#M1558 obhatti 2013-10-18T02:31:28Z https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105466#M1559 <P>You can't just call an arbitrary script in a search pipeline. The script must know how to accept Splunk pipeline inputs (unless it ignores them, which yours appears to do, so that's fine), but more importantly it must output them in the right format. As it turns out, the output format is a standard CSV file, including a header that specifies the field names. So basically you need to add a print for the CSV file header that matches the fields you're outputting. In general, you'll be a lot better off using the language-specific CSV libraries as well, rather than printing directly.</P> <P>Also, I imagine you understand that this computation can be done in Splunk search language directly and you're merely going through an exercise of getting a simple command to work.</P> Fri, 18 Oct 2013 05:36:33 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105466#M1559 gkanapathy 2013-10-18T05:36:33Z https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105467#M1560 <P>For example, you can pretty much replace your command with:</P> <PRE><CODE>... | eval n=split(numofaverages,",") | stats min(n) as avgmin max(n) mean(n) count(n) by macaddress,timestamp </CODE></PRE> <P>Maybe you want to rename more fields and maybe you want to use the round function to round off the mean, but that's basically it.</P> Fri, 18 Oct 2013 05:43:27 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105467#M1560 gkanapathy 2013-10-18T05:43:27Z https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105468#M1561 <P>Hi gkanapathy, thanks for the reply. Yes I can do these calculations in Splunk but this exercise was for me to understand how Splunk interacts with external scripts. Can you give me more information on python CSV header and how to include them in the code?</P> Fri, 18 Oct 2013 14:01:00 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105468#M1561 obhatti 2013-10-18T14:01:00Z https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105469#M1562 <P>In the Splunk command for the python script, how do I send values from column as arguments? Right now it is only sending "macaddress", "timestamp" and "numofaverages" as arguments.</P> Sat, 19 Oct 2013 21:33:36 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105469#M1562 obhatti 2013-10-19T21:33:36Z https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105470#M1563 <P>Obhatti, what you wamt to do is a Splunk custom search command. Have a look here for details: </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/SearchScripts">http://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/SearchScripts</A></P> Sun, 20 Oct 2013 13:13:24 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-script-python-no-results/m-p/105470#M1563 mdessus_splunk 2013-10-20T13:13:24Z