https://community.splunk.com/t5/Splunk-Search/Preserving-multi-value-fields-through-custom-search-command/m-p/93584#M24113 <P>Hello,</P> <P>I'm trying to build a Python custom search command. The command is run after a <CODE>transaction</CODE>, and adds values corresponding to events in the transaction based on the business logic.</P> <P>This is my search:</P> <PRE><CODE>sourcetype=mysourcetype | transaction User_ID keepevicted=true mvlist=true | where eventcount &gt; 2 | positioning | table * </CODE></PRE> <P>This is the script for my <CODE>positioning</CODE> command:</P> <PRE><CODE>#!/usr/bin/env python2.7 import splunk.Intersplunk def handle_lines(enumerable): for i, line in enumerate(enumerable): # business logic goes here yield new_line output = [] for line in handle_lines(search_results): output.append(line) splunk.Intersplunk.outputResults(output) </CODE></PRE> <P>(there's a reason for my seemingly redundant use of the generator pattern here)</P> <P>Even if handle_lines yields each line without doing anything to it, Splunk seems to lose its awareness of all the multi-value fields. Instead of this:</P> <P><IMG src="http://i.imgur.com/5Rgv3.png" alt="alt text" /></P> <P>I get this:</P> <P><IMG src="http://i.imgur.com/q1PN4.png" alt="alt text" /></P> <P>It does work if I change my <CODE>handle_lines()</CODE> function to output them as an array:</P> <PRE><CODE>def handle_lines(enumerable): for i, line in enumerate(enumerable): new_line = {} for attr in line: new_line[attr] = line[attr].split(' ') # business logic goes here yield new_line </CODE></PRE> <P>The problem here is that some of my fields have spaces, and this causes them to get broken into multi-valued fields as well. This wreaks havoc with what I'm trying to to back in Splunk - I'm assuming that each event has multiple values for each field corresponding to its <CODE>eventcount</CODE>.</P> <P>I'm surprised that I'm having this issue since I'm just using the data exactly as it's provided by <CODE>splunk.Intersplunk</CODE>; I assumed the library would handle the multi-value field logic.</P> Mon, 09 Jul 2012 06:48:14 GMT dbryan 2012-07-09T06:48:14Z https://community.splunk.com/t5/Splunk-Search/Preserving-multi-value-fields-through-custom-search-command/m-p/93584#M24113 <P>Hello,</P> <P>I'm trying to build a Python custom search command. The command is run after a <CODE>transaction</CODE>, and adds values corresponding to events in the transaction based on the business logic.</P> <P>This is my search:</P> <PRE><CODE>sourcetype=mysourcetype | transaction User_ID keepevicted=true mvlist=true | where eventcount &gt; 2 | positioning | table * </CODE></PRE> <P>This is the script for my <CODE>positioning</CODE> command:</P> <PRE><CODE>#!/usr/bin/env python2.7 import splunk.Intersplunk def handle_lines(enumerable): for i, line in enumerate(enumerable): # business logic goes here yield new_line output = [] for line in handle_lines(search_results): output.append(line) splunk.Intersplunk.outputResults(output) </CODE></PRE> <P>(there's a reason for my seemingly redundant use of the generator pattern here)</P> <P>Even if handle_lines yields each line without doing anything to it, Splunk seems to lose its awareness of all the multi-value fields. Instead of this:</P> <P><IMG src="http://i.imgur.com/5Rgv3.png" alt="alt text" /></P> <P>I get this:</P> <P><IMG src="http://i.imgur.com/q1PN4.png" alt="alt text" /></P> <P>It does work if I change my <CODE>handle_lines()</CODE> function to output them as an array:</P> <PRE><CODE>def handle_lines(enumerable): for i, line in enumerate(enumerable): new_line = {} for attr in line: new_line[attr] = line[attr].split(' ') # business logic goes here yield new_line </CODE></PRE> <P>The problem here is that some of my fields have spaces, and this causes them to get broken into multi-valued fields as well. This wreaks havoc with what I'm trying to to back in Splunk - I'm assuming that each event has multiple values for each field corresponding to its <CODE>eventcount</CODE>.</P> <P>I'm surprised that I'm having this issue since I'm just using the data exactly as it's provided by <CODE>splunk.Intersplunk</CODE>; I assumed the library would handle the multi-value field logic.</P> Mon, 09 Jul 2012 06:48:14 GMT https://community.splunk.com/t5/Splunk-Search/Preserving-multi-value-fields-through-custom-search-command/m-p/93584#M24113 dbryan 2012-07-09T06:48:14Z https://community.splunk.com/t5/Splunk-Search/Preserving-multi-value-fields-through-custom-search-command/m-p/93585#M24114 <P>I've considered that I might need a search-time transform to replace spaces within my fields with some other values prior to passing them to my custom command, but I'd really like to avoid this if possible.</P> Mon, 09 Jul 2012 08:08:36 GMT https://community.splunk.com/t5/Splunk-Search/Preserving-multi-value-fields-through-custom-search-command/m-p/93585#M24114 dbryan 2012-07-09T08:08:36Z https://community.splunk.com/t5/Splunk-Search/Preserving-multi-value-fields-through-custom-search-command/m-p/93586#M24115 <P>Hello, I am the supreme reigning idiot.</P> <P>I was missing this in <CODE>commands.conf</CODE> for the custom search command:</P> <PRE><CODE>supports_multivalues = true </CODE></PRE> Tue, 10 Jul 2012 03:02:09 GMT https://community.splunk.com/t5/Splunk-Search/Preserving-multi-value-fields-through-custom-search-command/m-p/93586#M24115 dbryan 2012-07-10T03:02:09Z