Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Levenshtein Search Command incomplete results and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following changes will make the command work reliably in a larger environment.
Fix to allow tstats to work with the command:
Edit line 30 in the levenshtein.py in bin: replace the if '_raw' in r with the following.
if string1 in r and string2 in r:Add to commands.conf:
retainsevents=true
streaming=true
If you make the above changes you will be able to use the command with tstats across data models like the Network Resolution for DNS queries. This will perform much faster due to accelerated data models over normal SPL index=... sourcetype=... type searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this diff to patch for the above changes if you do not want to do it by hand.
*** old/bin/levenshtein.py 2014-11-11 14:49:21.000000000 -0600
--- new/bin/levenshtein.py 2016-03-14 20:01:06.000000000 -0500
***************
*** 27,33 ****
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
for r in results:
! if "_raw" in r:
if command=="ratio":
ratio=Levenshtein.ratio(r[string1], r[string2])
r["ratio"]=ratio
--- 27,33 ----
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
for r in results:
! if string1 in r and string2 in r:
if command=="ratio":
ratio=Levenshtein.ratio(r[string1], r[string2])
r["ratio"]=ratio
diff -rc old/default/commands.conf new/default/commands.conf
*** old/default/commands.conf 2014-11-05 12:44:12.000000000 -0600
--- new/default/commands.conf 2016-03-14 20:01:44.000000000 -0500
***************
*** 1,2 ****
--- 1,4 ----
[levenshtein]
filename=levenshtein.py
+ retainsevents=true
+ streaming=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had to make the recommended change for the stats command as well.
The author, Nimesh Doshi, appears to be a Splunk employee. How can we get a new revision of the command created with the update? I couldn't find the source on githib...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this diff to patch for the above changes if you do not want to do it by hand.
*** old/bin/levenshtein.py 2014-11-11 14:49:21.000000000 -0600
--- new/bin/levenshtein.py 2016-03-14 20:01:06.000000000 -0500
***************
*** 27,33 ****
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
for r in results:
! if "_raw" in r:
if command=="ratio":
ratio=Levenshtein.ratio(r[string1], r[string2])
r["ratio"]=ratio
--- 27,33 ----
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
for r in results:
! if string1 in r and string2 in r:
if command=="ratio":
ratio=Levenshtein.ratio(r[string1], r[string2])
r["ratio"]=ratio
diff -rc old/default/commands.conf new/default/commands.conf
*** old/default/commands.conf 2014-11-05 12:44:12.000000000 -0600
--- new/default/commands.conf 2016-03-14 20:01:44.000000000 -0500
***************
*** 1,2 ****
--- 1,4 ----
[levenshtein]
filename=levenshtein.py
+ retainsevents=true
+ streaming=true
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
A Prelude to .conf25: Your Guide to Splunk University
4 Ways the Splunk Community Helps You Prepare for .conf25
