All Apps and Add-ons

Need help on Custom search command

maniu1609
Path Finder

I have created custom search command called "getmetricdemo". I have configured everything but I'm not getting output in splunk GUI when I run search query as "| getmetricdemo" . Here is my configuration details:

commands.conf:

[getmetricdemo]
filename = system_python.path
command.arg.1 = getmetricdemo.py
generating = true
supports_rawargs = true

Since I'm invoking external processor, I gave python interpreter name in system_python.path file
cat system_python.path

!/usr/bin/python

python program is running fine when I execute in Linux CLI:

python getmetricdemo.py
_time,aaaa,bbbbb
1529492520.0,1,1
1529492580.0,1,1
1529492400.0,1,1
1529492640.0,1,1
1529492460.0,1,1

Both system_python.path and getmetricdemo.py are located in /opt/splunk/etc/apps//bin directory.

Could anyone please help me out here. Thanks in advance!!

0 Karma

kiril123
Path Finder

Have you found a solution to your problem? I am having the same issue.

maniu1609
Path Finder

No @kiril123

0 Karma

PowerPacked
Builder

all you need in commands is

[getmetricdemo]
filename=getmetricdemo.py
passauth = true

& the python file should be in the bin directory of the app, commands in local/default of the same app, meta file in metadata dir of same app.

yes if its a cluster you need to push them from deployer to all search heads.

Thanks

0 Karma

PowerPacked
Builder

Hi @maniu1609

you should also set info regarding the command in metadata ---- local.meta or default.meta

[commands/commandname]
export = system
owner = nobody

Thanks

maniu1609
Path Finder

Now i did few changes:

  1. Removed #! from #!/usr/bin/python line in system_python.path file
  2. Added chunked = true in commands.conf file
  3. Restarted splunk

After doing above changes, I again ran search command, Now I could see below error in job inspector:

06-22-2018 09:45:24.734 INFO ChunkedExternProcessor - Running process: /usr/bin/python getmetricdemo.py
06-22-2018 09:45:29.427 ERROR ChunkedExternProcessor - Failed attempting to parse transport header: _time,aaaa,bbbbb\r
06-22-2018 09:45:29.427 ERROR ChunkedExternProcessor - Error in 'getmetricdemo' command: External search command exited unexpectedly.

0 Karma

maniu1609
Path Finder

Hi @PowerPacked

Thanks for your help. I have added as you mentioned. But still no luck. I have configured this in deployer. Does this custom search command need to be configured only in search head and works only in search head?

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...