https://community.splunk.com/t5/Splunk-Dev/Multiple-results-using-custom-ReportingCommand/m-p/553142#M9901 <P>Hello,</P><P>i'm trying to developed a custom ReportingCommand. Like the build-in command stats, I want only the global result on all my events and not the partial results from the reduce function being use multiples times.<BR /><BR /></P><P>I tried with the example given in the splunk sdk :</P><LI-CODE lang="python">import os,sys splunkhome = os.environ['SPLUNK_HOME'] sys.path.append(os.path.join(splunkhome, 'etc', 'apps', 'sum-dev', 'lib')) from splunklib.searchcommands import dispatch, ReportingCommand, Configuration, Option, validators from splunklib.searchcommands.validators import Fieldname import splunk import logging, logging.handlers def setup_logging(): logger = logging.getLogger('splunk.sumdev') SPLUNK_HOME = os.environ['SPLUNK_HOME'] LOGGING_DEFAULT_CONFIG_FILE = os.path.join(SPLUNK_HOME, 'etc', 'log.cfg') LOGGING_LOCAL_CONFIG_FILE = os.path.join(SPLUNK_HOME, 'etc', 'log-local.cfg') LOGGING_STANZA_NAME = 'python' LOGGING_FILE_NAME = "sumdev.log" BASE_LOG_PATH = os.path.join('var', 'log', 'splunk') LOGGING_FORMAT = "%(asctime)s %(levelname)-s\t%(module)s:%(lineno)d - %(message)s" splunk_log_handler = logging.handlers.RotatingFileHandler(os.path.join(SPLUNK_HOME, BASE_LOG_PATH, LOGGING_FILE_NAME), mode='a') splunk_log_handler.setFormatter(logging.Formatter(LOGGING_FORMAT)) logger.addHandler(splunk_log_handler) splunk.setupSplunkLogger(logger, LOGGING_DEFAULT_CONFIG_FILE, LOGGING_LOCAL_CONFIG_FILE, LOGGING_STANZA_NAME) return logger @Configuration() class SumCommand(ReportingCommand): total = Option( doc=''' **Syntax:** **total=***&lt;fieldname&gt;* **Description:** Name of the field that will hold the computed sum''', require=True, validate=validators.Fieldname()) @Configuration() def map(self, records): """ Computes sum(fieldname, 1, n) and stores the result in 'total' """ self.logger.debug('SumCommand.map') fieldnames = self.fieldnames total = 0.0 for record in records: for fieldname in fieldnames: total += float(record[fieldname]) yield {self.total: total} @Configuration() def reduce(self, records): """ Computes sum(total, 1, N) and stores the result in 'total' """ self.logger.debug('SumCommand.reduce') fieldname = self.total total = 0.0 for record in records: value = record[fieldname] try: total += float(value) except ValueError: self.logger.debug(' could not convert %s value to float: %s', fieldname, repr(value)) yield [{self.total: total}] dispatch(SumCommand, sys.argv, sys.stdin, sys.stdout, __name__)</LI-CODE><P>&nbsp;</P><P>With that code, the search&nbsp;<EM>index=_internal | head 200 | sum total=lines linecount&nbsp;&nbsp;</EM> gives me a field "lines" with multiples values, and not one value corresponding to the total count like I want to.<BR /><BR />It's my first time doing a ReportingCommand, I will really appreciate anyone helps !<BR /><BR /><BR /></P> Wed, 26 May 2021 13:14:16 GMT afaucher 2021-05-26T13:14:16Z https://community.splunk.com/t5/Splunk-Dev/Multiple-results-using-custom-ReportingCommand/m-p/553142#M9901 <P>Hello,</P><P>i'm trying to developed a custom ReportingCommand. Like the build-in command stats, I want only the global result on all my events and not the partial results from the reduce function being use multiples times.<BR /><BR /></P><P>I tried with the example given in the splunk sdk :</P><LI-CODE lang="python">import os,sys splunkhome = os.environ['SPLUNK_HOME'] sys.path.append(os.path.join(splunkhome, 'etc', 'apps', 'sum-dev', 'lib')) from splunklib.searchcommands import dispatch, ReportingCommand, Configuration, Option, validators from splunklib.searchcommands.validators import Fieldname import splunk import logging, logging.handlers def setup_logging(): logger = logging.getLogger('splunk.sumdev') SPLUNK_HOME = os.environ['SPLUNK_HOME'] LOGGING_DEFAULT_CONFIG_FILE = os.path.join(SPLUNK_HOME, 'etc', 'log.cfg') LOGGING_LOCAL_CONFIG_FILE = os.path.join(SPLUNK_HOME, 'etc', 'log-local.cfg') LOGGING_STANZA_NAME = 'python' LOGGING_FILE_NAME = "sumdev.log" BASE_LOG_PATH = os.path.join('var', 'log', 'splunk') LOGGING_FORMAT = "%(asctime)s %(levelname)-s\t%(module)s:%(lineno)d - %(message)s" splunk_log_handler = logging.handlers.RotatingFileHandler(os.path.join(SPLUNK_HOME, BASE_LOG_PATH, LOGGING_FILE_NAME), mode='a') splunk_log_handler.setFormatter(logging.Formatter(LOGGING_FORMAT)) logger.addHandler(splunk_log_handler) splunk.setupSplunkLogger(logger, LOGGING_DEFAULT_CONFIG_FILE, LOGGING_LOCAL_CONFIG_FILE, LOGGING_STANZA_NAME) return logger @Configuration() class SumCommand(ReportingCommand): total = Option( doc=''' **Syntax:** **total=***&lt;fieldname&gt;* **Description:** Name of the field that will hold the computed sum''', require=True, validate=validators.Fieldname()) @Configuration() def map(self, records): """ Computes sum(fieldname, 1, n) and stores the result in 'total' """ self.logger.debug('SumCommand.map') fieldnames = self.fieldnames total = 0.0 for record in records: for fieldname in fieldnames: total += float(record[fieldname]) yield {self.total: total} @Configuration() def reduce(self, records): """ Computes sum(total, 1, N) and stores the result in 'total' """ self.logger.debug('SumCommand.reduce') fieldname = self.total total = 0.0 for record in records: value = record[fieldname] try: total += float(value) except ValueError: self.logger.debug(' could not convert %s value to float: %s', fieldname, repr(value)) yield [{self.total: total}] dispatch(SumCommand, sys.argv, sys.stdin, sys.stdout, __name__)</LI-CODE><P>&nbsp;</P><P>With that code, the search&nbsp;<EM>index=_internal | head 200 | sum total=lines linecount&nbsp;&nbsp;</EM> gives me a field "lines" with multiples values, and not one value corresponding to the total count like I want to.<BR /><BR />It's my first time doing a ReportingCommand, I will really appreciate anyone helps !<BR /><BR /><BR /></P> Wed, 26 May 2021 13:14:16 GMT https://community.splunk.com/t5/Splunk-Dev/Multiple-results-using-custom-ReportingCommand/m-p/553142#M9901 afaucher 2021-05-26T13:14:16Z