topic Re: passing search result to empty python file in Splunk Search

passing search result to empty python file

harsh1734 — Mon, 26 Aug 2013 04:40:32 GMT

hi,
i am running a query

index="dataload" in search and i want to transfer it result in empty python file ..For that i hv uploaded a python sdk and created an empty file in aap-search-bin folder..

but i dont know the correct way,how can i transfer my search result to empty python file,i hv to again perform some operation on this python file..but first want to transfer my search result in python file

index="dataload" | tabel python.py
like this.....

Re: passing search result to empty python file

Ayn — Mon, 26 Aug 2013 07:25:11 GMT

What do you mean by transferring to an empty Python file? Why would you want to do that? What's the desired end result?

Re: passing search result to empty python file

harsh1734 — Mon, 26 Aug 2013 08:22:11 GMT

i want to perform some python programming on that index because their is problem in extracting some of the fields.so by writing a script means i know that on 3rd line, my this output will be there so cutting all that field value... some thing like that

Re: passing search result to empty python file

Ayn — Mon, 26 Aug 2013 13:41:59 GMT

That actually made me more confused than I was before 🙂

Re: passing search result to empty python file

Ayn — Mon, 26 Aug 2013 13:42:39 GMT

And oh, if I recall correctly you were the guy who had field extraction problems and wanted to solve them by writing custom Python commands. I still don't think that sounds like a good solution.

Re: passing search result to empty python file

harsh1734 — Tue, 27 Aug 2013 05:43:04 GMT

yup,but this is the only solution i think..because splunk is not able to make the regex for these fileds values like if the field has values like (720),(65,123,457) so it will make regex of (65,123,457) its a single value but splunk is cosidering it as different value and breaking it into 65 123 and 457 as individual unit

Re: passing search result to empty python file

Ayn — Tue, 27 Aug 2013 07:34:10 GMT

I'm very sure Splunk can do this. My advice would be to open up a separate question about this, with examples and good information on what you want to do.

Re: passing search result to empty python file

yannK — Tue, 27 Aug 2013 14:39:41 GMT

Your request for a python script command is quite confusing.

I see 2 alternate simple options :

export all your data in a csv file, and work out of splunk.
see the command "mysearch | table field1 field2 field3 | exportcsv mycsvfile.csv"
or the export options for the UI
or find the correct regex to extract your fields in splunk (see the command "rex" )
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Rex
and if needed, use multivalue fields commands,
http://docs.splunk.com/Documentation/Splunk/5.0.4/Search/Parsemultivaluefields
http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/ConfigureSplunktoparsemulti-valuefields

In this case, provide a useful sample. And the expected result.