topic Re: how to feed search result into "custom search command" and get output from custom search command? in Splunk Search

how to feed search result into "custom search command" and get output from custom search command?

muratogul — Mon, 21 May 2018 21:57:42 GMT

Hi,
I have written a custom search command to send whois queries for ip addresses that are resulted from search head. I assume that custom search command will get search result from search head and send them whois.arin.net then results will be listed in another field.

command.conf file includes following:

[whois]
chunked = true
filename = whois.py
generating = true
supports_rawargs = true
streaming = true
retainsevents = true #!!!!!!  not sure for this !!!!!!!!!!

code location:
C:\Program Files\Splunk\etc\system\bin
code snippet is also following, whole code is working properly out of Splunk, but dont get ant response when running on search head.

def whoisQuery(orgnames, settings):
    orgnames = []
    orgname = {}
............................................

if "OrgName" in i:
                b = i.split()
                orgname['OrgName'] = b[1:]
                orgnames.append(orgname)
                break
    except:
        pass

    return orgnames         

#to get previous search results     
orgnames, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()     

#for result in orgnames:
orgnames = whoisQuery(orgnames, settings)
splunk.Intersplunk.outputResults(orgnames)

Re: how to feed search result into "custom search command" and get output from custom search command?

MuS — Mon, 21 May 2018 22:50:58 GMT

There are many things that can break here, so I just add a list of possible checks:

Did you add import splunk.Intersplunk to your script?
What happens if you start the script manually $SPLUNK_HOME/bi/splunk cmd python yourscritpnamehere.py any errors?
Did you try the example from the docs http://docs.splunk.com/Documentation/Splunk/latest/Search/Customsearchcommandshape#Add_the_Python_script does that work?

cheers, MuS

Re: how to feed search result into "custom search command" and get output from custom search command?

muratogul — Tue, 22 May 2018 00:01:05 GMT

thanks for response,
1. is already ok.
2. script run but no result or error, kind of infinite loop
3. yes I have two different script one of them is exactly from this sample even if it is not clear how search result being fed into script and how script results being returned to UI screen?

results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults()

for result in results:
result["whois"] = whoisQuery(result["_raw"])
splunk.Intersplunk.outputResults(results)

Re: how to feed search result into "custom search command" and get output from custom search command?

MuS — Tue, 22 May 2018 03:55:56 GMT

this line results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults() is reading the previous search results, and this line splunk.Intersplunk.outputResults(results) will output the results of your script into Splunk.

Maybe just start with the example, make that work and then start to change the script logic.

cheers, MuS

Re: how to feed search result into "custom search command" and get output from custom search command?

jkat54 — Tue, 22 May 2018 15:05:52 GMT

Do this

results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults()

And then orgnames=results[‘orgNamesField’]

In your getWhois function, don’t clobber the orgnames object. (orgnames=[] effectively wipes out what was passed to the function).

for result in results:
   orgnames=result[‘orgNamesField’]
   result[‘whoisResults’] = getWhois(orgnames)
splunk.Intersplunk.outputResults(results)

Re: how to feed search result into "custom search command" and get output from custom search command?

muratogul — Tue, 22 May 2018 21:47:51 GMT

thanks, make sense.