All Apps and Add-ons

Need help on Custom search command

maniu1609
Path Finder

I have created custom search command called "getmetricdemo". I have configured everything but I'm not getting output in splunk GUI when I run search query as "| getmetricdemo" . Here is my configuration details:

commands.conf:

[getmetricdemo]
filename = system_python.path
command.arg.1 = getmetricdemo.py
generating = true
supports_rawargs = true

Since I'm invoking external processor, I gave python interpreter name in system_python.path file
cat system_python.path

!/usr/bin/python

python program is running fine when I execute in Linux CLI:

python getmetricdemo.py
_time,aaaa,bbbbb
1529492520.0,1,1
1529492580.0,1,1
1529492400.0,1,1
1529492640.0,1,1
1529492460.0,1,1

Both system_python.path and getmetricdemo.py are located in /opt/splunk/etc/apps//bin directory.

Could anyone please help me out here. Thanks in advance!!

0 Karma

kiril123
Path Finder

Have you found a solution to your problem? I am having the same issue.

maniu1609
Path Finder

No @kiril123

0 Karma

PowerPacked
Builder

all you need in commands is

[getmetricdemo]
filename=getmetricdemo.py
passauth = true

& the python file should be in the bin directory of the app, commands in local/default of the same app, meta file in metadata dir of same app.

yes if its a cluster you need to push them from deployer to all search heads.

Thanks

0 Karma

PowerPacked
Builder

Hi @maniu1609

you should also set info regarding the command in metadata ---- local.meta or default.meta

[commands/commandname]
export = system
owner = nobody

Thanks

maniu1609
Path Finder

Now i did few changes:

  1. Removed #! from #!/usr/bin/python line in system_python.path file
  2. Added chunked = true in commands.conf file
  3. Restarted splunk

After doing above changes, I again ran search command, Now I could see below error in job inspector:

06-22-2018 09:45:24.734 INFO ChunkedExternProcessor - Running process: /usr/bin/python getmetricdemo.py
06-22-2018 09:45:29.427 ERROR ChunkedExternProcessor - Failed attempting to parse transport header: _time,aaaa,bbbbb\r
06-22-2018 09:45:29.427 ERROR ChunkedExternProcessor - Error in 'getmetricdemo' command: External search command exited unexpectedly.

0 Karma

maniu1609
Path Finder

Hi @PowerPacked

Thanks for your help. I have added as you mentioned. But still no luck. I have configured this in deployer. Does this custom search command need to be configured only in search head and works only in search head?

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...