topic Re: custom command help in Splunk Search

custom command help

rakesh_498115 — Mon, 28 Sep 2020 13:51:54 GMT

Hi ..

In my Splunk results say i get a lot of numerical values for a field say "A" . Now i want avg of the top 95 values of the field A . so i have defined a funciton in python like this..

// test.py

def myfunction(r):
AvgBest95 = sum(r[0:95])/95

return AvgBest95

and i have given the command name in commands.conf

[test]
filename = test.py

in authorize.conf also i have defined the stanga as

capability::run_script_test]

[role_admin]
run_script_test= enabled

So Now when i run the command in the search . it is not showing any values...

i have used my search like this ..

sourcetype="mydata" | table A | test myfunciton(A)

Please help ..if i am missing anything ...

Re: custom command help

Ayn — Thu, 09 May 2013 08:15:40 GMT

Is that code snippet all there is in your Python file?? In that case you have MUCH reading to do on how to create a custom command.

Re: custom command help

rakesh_498115 — Thu, 09 May 2013 10:40:37 GMT

yeah..the code snippnet is there in Python file...i am not getting how can i pass this value of my field A to my function in the python file....

Re: custom command help

Ayn — Thu, 09 May 2013 10:56:36 GMT

You should read up on the basics before you dive into this. I honestly don't know where to start - for one, you can't call individual functions in custom commands like you're trying to do. Then there's the issue of that custom commands need to use Splunk packages for receiving and outputting data. You need to read this, among other things. http://docs.splunk.com/Documentation/Splunk/5.0.2/AdvancedDev/SearchScripts

Re: custom command help

Ayn — Thu, 09 May 2013 10:57:09 GMT

(I thought you were getting personal help from Splunk's partner team?)

Re: custom command help

dwaddle — Thu, 09 May 2013 14:25:12 GMT

If I may plug my own app, http://splunk-base.splunk.com/apps/35644/base64-custom-command, it demonstrates just about the "most minimally viable" custom command. There is a lot of stuff there that is absolutely necessary boilerplate. It is boilerplate you need to understand to connect what you want your custom command "to do" to Splunk's custom command input and output plumbing.

Basically, custom commands need to read events on stdin, do the needful, then write the new results to stdout. And you will need to take into account that in certain situations your custom command may be called more than once by Splunk and may "see" the same event more than once.

All of that said, why did you not simply do a

| head 95 | stats avg(A) as avg_first_95_A

it's not like the search language does not have these constructs built in already...

Re: custom command help

alacercogitatus — Thu, 09 May 2013 14:53:03 GMT

|top A limit=95 | stats avg(A) I think is more inline with what he wants :D. http://www.keepcalmandposters.com/posters/54856.png

Re: custom command help

rakesh_498115 — Fri, 10 May 2013 14:42:48 GMT

Hi dwaddle,alcercogitatus ..i knew we can do the way u suggested..i wanted to get a pratice of custom commands so i have raised this question...

Re: custom command help

rakesh_498115 — Fri, 10 May 2013 14:46:15 GMT

Yeah Ayn...we are paid Partners for Splunk .we often get in touch with them..and they have suggested the first place to go always is splunkbase so posted this question...i want to start with my own custom commands...thanks for your link...going through it..Hopefully will be able to do some custom commands ..