topic Re: Custom Command Protocol Version 2 in Splunk Search

Custom Command Protocol Version 2-What needs to be changed when switching from version 1 to version 2?

pinVie — Fri, 06 Jan 2023 04:07:08 GMT

Hi all,

I am currently a little bit stuck ...

Commands.conf looks like this:
[tc]
chunked = true
filename = tc.py

[t]
retainsevents = true
streaming = true
filename = t.py

tc is the same command as t but it should use protocol version 2 instead of 1
The version 1 script works but when using the version 2 script, it just says
"Could not locate the time (_time) field on some results returned from the external search command 'tc'"

Documentation on version 2 is a little bit sketchy so,
--> what needs to be changed when switching from version 1 to version 2?
--> is there a sample custom streaming command for version 2 ?

Thanks

Re: Custom Command Protocol Version 2

gwobben — Wed, 05 Oct 2016 08:39:27 GMT

Well, there's nothing wrong with your configuration. I can't look into the Python script or the query so it's really hard to debug. As inspiration you might want to look a what others wrote, e.g.: https://answers.splunk.com/answers/387430/cant-we-use-a-custom-search-command-with-stats-in.html
Hope this helps...

Re: Custom Command Protocol Version 2

aljohnson_splun — Wed, 05 Oct 2016 15:52:25 GMT

There are some great examples in the Python SDK:

https://github.com/splunk/splunk-sdk-python/tree/master/examples/searchcommands_app

At time of writing:

├── bin
│   ├── splunklib
│   │   └── searchcommands ....... splunklib.searchcommands module
│   ├── countmatches.py .......... CountMatchesCommand implementation
│   ├── generatetext.py .......... GenerateTextCommand implementation
│   ├── pypygeneratetext.py ...... Executes generatetext.py with PyPy
│   ├── simulate.py .............. SimulateCommand implementation
│   ├── sum.py ................... SumCommand implementation
│   └── 
├── default
│   ├── data
│   │   └── ui
│   │       └── nav
│   │           └── default.xml ..
│   ├── app.conf ................. Used by Splunk to maintain app state [1]
│   ├── commands.conf ............ Search command configuration [2]
│   ├── logging.conf ............. Python logging[3] configuration in ConfigParser[4] format
│   └── searchbnf.conf ........... Search assistant configuration [5]
└── metadata
    └── local.meta ............... Permits the search assistant to use searchbnf.conf[6]

Re: Custom Command Protocol Version 2

jeff — Thu, 02 Mar 2017 22:04:27 GMT

I had the same questions. The online documentation provides not helpful advice like:

Turns out it's a problem with their documentation parsing from the source code. You can find this info in the comments of splunklib/searchcommands/generating_command.py. eg:

Reporting Generating command
============================

Commands configured like this will run as the first command on a search head on the reports pipeline.

+----------+---------------------------------------------------+------+
| Pipeline | ...  | SCP 2                                             |
+==========+=...==+===================================================+
| events   | ...  | Add this configuration setting to your command    |
|          | ...  | setting to your command class:                    |
|          | ...  |                                                   |
|          | ...  | .. code-block:: python                            |
|          | ...  |     @Configuration(type='reporting')              |
|          | ...  |     class SomeCommand(GeneratingCommand)          |
|          | ...  |         ...                                       |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
+----------+---------------------------------------------------+------+

Re: Custom Command Protocol Version 2

ays7abt — Thu, 20 Apr 2017 06:38:00 GMT

Hello guys,

is the now maybe a other documentation out, which explains the interface?

Re: Custom Command Protocol Version 2

liujie — Tue, 20 Feb 2018 19:03:02 GMT

I tried to load the SDK for Python and encountered a syntax error because the SDK was created using Python 2.7 and I am using Python 3.5. Am I doing something wrong? I loaded the SDK egg that has a time stamp of 2016. Is there a new version of the SDK?

Thanks!

Re: Custom Command Protocol Version 2

Anam — Tue, 20 Feb 2018 19:15:21 GMT

Hi liujie

This question was posted 2 years ago. If none of the answers were able to help you with your question, please post a new question so you can get maximum exposure and help.

Thanks

Re: Custom Command Protocol Version 2

spunk_enthusias — Thu, 05 Jan 2023 20:38:51 GMT

Ha, yep, I had to guess this myself. The custom search commands (or splunklib in general) docs could use some work.