Solved: Re: Levenshtein Search Command incomplete results ...

starcher · ‎03-14-2016

The following changes will make the command work reliably in a larger environment.

Fix to allow tstats to work with the command:
Edit line 30 in the levenshtein.py in bin: replace the if '_raw' in r with the following.
if string1 in r and string2 in r:
Add to commands.conf:
retainsevents=true
streaming=true

If you make the above changes you will be able to use the command with tstats across data models like the Network Resolution for DNS queries. This will perform much faster due to accelerated data models over normal SPL index=... sourcetype=... type searches.

starcher · ‎03-14-2016

Use this diff to patch for the above changes if you do not want to do it by hand.

*** old/bin/levenshtein.py      2014-11-11 14:49:21.000000000 -0600
--- new/bin/levenshtein.py      2016-03-14 20:01:06.000000000 -0500
***************
*** 27,33 ****
      results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

      for r in results:
!         if "_raw" in r:
              if command=="ratio":
                  ratio=Levenshtein.ratio(r[string1], r[string2])
                  r["ratio"]=ratio
--- 27,33 ----
      results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

      for r in results:
!         if string1 in r and string2 in r:
              if command=="ratio":
                  ratio=Levenshtein.ratio(r[string1], r[string2])
                  r["ratio"]=ratio
diff -rc old/default/commands.conf new/default/commands.conf
*** old/default/commands.conf   2014-11-05 12:44:12.000000000 -0600
--- new/default/commands.conf   2016-03-14 20:01:44.000000000 -0500
***************
*** 1,2 ****
--- 1,4 ----
  [levenshtein]
  filename=levenshtein.py
+ retainsevents=true
+ streaming=true

View solution in original post

tjbaker72 · ‎05-03-2016

I had to make the recommended change for the stats command as well.

The author, Nimesh Doshi, appears to be a Splunk employee. How can we get a new revision of the command created with the update? I couldn't find the source on githib...

starcher · ‎03-14-2016

Use this diff to patch for the above changes if you do not want to do it by hand.

*** old/bin/levenshtein.py      2014-11-11 14:49:21.000000000 -0600
--- new/bin/levenshtein.py      2016-03-14 20:01:06.000000000 -0500
***************
*** 27,33 ****
      results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

      for r in results:
!         if "_raw" in r:
              if command=="ratio":
                  ratio=Levenshtein.ratio(r[string1], r[string2])
                  r["ratio"]=ratio
--- 27,33 ----
      results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

      for r in results:
!         if string1 in r and string2 in r:
              if command=="ratio":
                  ratio=Levenshtein.ratio(r[string1], r[string2])
                  r["ratio"]=ratio
diff -rc old/default/commands.conf new/default/commands.conf
*** old/default/commands.conf   2014-11-05 12:44:12.000000000 -0600
--- new/default/commands.conf   2016-03-14 20:01:44.000000000 -0500
***************
*** 1,2 ****
--- 1,4 ----
  [levenshtein]
  filename=levenshtein.py
+ retainsevents=true
+ streaming=true

Levenshtein Search Command incomplete results and work with tstats

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control