topic Re: Custom search command always shows Statistics tab in Splunk Dev

Custom search command always shows Statistics tab

plucas_splunk — Sun, 28 Aug 2016 01:35:34 GMT

I have a custom search command nbclosest that returns a subset of search results used like:

index="muni" | nbclosest

That is if there were results containing log entries A, B, C, D, E, it would return a subset, say, A, B, D.

It works (in that only a subset of log entries are returned), but when I run the search, the UI always shows the Statistics tab containing every field in column format ( _raw, _time, ... date_wday, ...).

I want it to show the Events tab as usual, but only the returned subset. (The Events tab shows all the original pre-filtered log entries.)

How can I get what I want?

FYI, my commands.conf is:

[nbclosest]
filename = nbclosest.py
enableheader = false
overrides_timeorder = true
required_fields = _time,vehicle_id,vehicle_distance,stop_tag

The script is:

#! /usr/bin/env python

import csv
import operator
import sys

K_STAG      = 'stop_tag'
K_TIME      = '_time'
K_VDISTANCE = 'vehicle_distance'
K_VID       = 'vehicle_id'

vehicle_dict = { }

try:
    reader = csv.DictReader( sys.stdin )
    headers = reader.fieldnames
    writer = csv.DictWriter( sys.stdout, headers )
    writer.writeheader()

    for row in reader:
        vid = row[ K_VID ]
        if vid not in vehicle_dict:
            vehicle_dict[ vid ] = row
        else:
            old_row = vehicle_dict[ vid ]
            old_stop = old_row[ K_STAG ]
            new_stop =     row[ K_STAG ]
            if new_stop == old_stop:
                old_distance = int( old_row[ K_VDISTANCE ] )
                new_distance = int(     row[ K_VDISTANCE ] )
                if new_distance <= old_distance:
                    vehicle_dict[ vid ] = row
            else:
                writer.writerow( old_row )
                vehicle_dict[ vid ] = row

    remaining_rows = vehicle_dict.values()
    for row in sorted( remaining_rows, key=operator.itemgetter( K_TIME ) ):
        writer.writerow( row )

except Exception as e:
    import traceback
    stack = traceback.format_exc()
    print >>sys.stderr, "Unhandled exception: %s; %s" % (e, stack)

Re: Custom search command always shows Statistics tab

inventsekar — Mon, 29 Aug 2016 02:41:19 GMT

Raw event searches will show the "Events" tab, by default.
Report-generating searches (stats, timechart, top, etc) will show the "Statistics" tab by default.

About the search results tabs -
When you run a search, the types of search commands you use affects which
search results tab get populated. If your search just retrieves events, you can
view the results in the Events tab, but not in the other tabs. If the search includes
transforming commands, you can view the results in the Statistics and
Visualization tabs.
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchTutorial/Aboutthesearchtabs

on your python script, i am not seeing any splunk commands. if you give us the splunk query, maybe, we can see, if possible to add a "raw event search command" at the end and make it return the "Events" tab by default.

Re: Custom search command always shows Statistics tab

plucas_splunk — Mon, 29 Aug 2016 14:13:29 GMT

Actually, I finally figured out how to use the protocol version 2 (the documentation is pretty sketchy). My scripts using v2 works as I want. So I suppose never mind.

Re: Custom search command always shows Statistics tab

irsysintegratio — Mon, 11 Sep 2017 19:57:59 GMT

How can you do that please?

Re: Custom search command always shows Statistics tab

irsysintegratio — Mon, 11 Sep 2017 20:36:28 GMT

Actually it does not need v2. V1 works as well. Just need to set this in your command.conf for the command:
retainsevents=true

Re: Custom search command always shows Statistics tab

plucas_splunk — Mon, 11 Sep 2017 20:38:21 GMT

But new code should use v2.