Solved: Levenshtein Search Command incomplete results and ...

starcher · ‎03-14-2016

The following changes will make the command work reliably in a larger environment.

Fix to allow tstats to work with the command:
Edit line 30 in the levenshtein.py in bin: replace the if '_raw' in r with the following.
if string1 in r and string2 in r:
Add to commands.conf:
retainsevents=true
streaming=true

If you make the above changes you will be able to use the command with tstats across data models like the Network Resolution for DNS queries. This will perform much faster due to accelerated data models over normal SPL index=... sourcetype=... type searches.

starcher · ‎03-14-2016

Use this diff to patch for the above changes if you do not want to do it by hand.

*** old/bin/levenshtein.py      2014-11-11 14:49:21.000000000 -0600
--- new/bin/levenshtein.py      2016-03-14 20:01:06.000000000 -0500
***************
*** 27,33 ****
      results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

      for r in results:
!         if "_raw" in r:
              if command=="ratio":
                  ratio=Levenshtein.ratio(r[string1], r[string2])
                  r["ratio"]=ratio
--- 27,33 ----
      results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

      for r in results:
!         if string1 in r and string2 in r:
              if command=="ratio":
                  ratio=Levenshtein.ratio(r[string1], r[string2])
                  r["ratio"]=ratio
diff -rc old/default/commands.conf new/default/commands.conf
*** old/default/commands.conf   2014-11-05 12:44:12.000000000 -0600
--- new/default/commands.conf   2016-03-14 20:01:44.000000000 -0500
***************
*** 1,2 ****
--- 1,4 ----
  [levenshtein]
  filename=levenshtein.py
+ retainsevents=true
+ streaming=true

View solution in original post

tjbaker72 · ‎05-03-2016

I had to make the recommended change for the stats command as well.

The author, Nimesh Doshi, appears to be a Splunk employee. How can we get a new revision of the command created with the update? I couldn't find the source on githib...

starcher · ‎03-14-2016

Use this diff to patch for the above changes if you do not want to do it by hand.

*** old/bin/levenshtein.py      2014-11-11 14:49:21.000000000 -0600
--- new/bin/levenshtein.py      2016-03-14 20:01:06.000000000 -0500
***************
*** 27,33 ****
      results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

      for r in results:
!         if "_raw" in r:
              if command=="ratio":
                  ratio=Levenshtein.ratio(r[string1], r[string2])
                  r["ratio"]=ratio
--- 27,33 ----
      results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

      for r in results:
!         if string1 in r and string2 in r:
              if command=="ratio":
                  ratio=Levenshtein.ratio(r[string1], r[string2])
                  r["ratio"]=ratio
diff -rc old/default/commands.conf new/default/commands.conf
*** old/default/commands.conf   2014-11-05 12:44:12.000000000 -0600
--- new/default/commands.conf   2016-03-14 20:01:44.000000000 -0500
***************
*** 1,2 ****
--- 1,4 ----
  [levenshtein]
  filename=levenshtein.py
+ retainsevents=true
+ streaming=true

Levenshtein Search Command incomplete results and work with tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation