- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Need help on Custom search command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help on Custom search command
I have created custom search command called "getmetricdemo". I have configured everything but I'm not getting output in splunk GUI when I run search query as "| getmetricdemo" . Here is my configuration details:
commands.conf:
[getmetricdemo]
filename = system_python.path
command.arg.1 = getmetricdemo.py
generating = true
supports_rawargs = true
Since I'm invoking external processor, I gave python interpreter name in system_python.path file
cat system_python.path
!/usr/bin/python
python program is running fine when I execute in Linux CLI:
python getmetricdemo.py
_time,aaaa,bbbbb
1529492520.0,1,1
1529492580.0,1,1
1529492400.0,1,1
1529492640.0,1,1
1529492460.0,1,1
Both system_python.path and getmetricdemo.py are located in /opt/splunk/etc/apps//bin directory.
Could anyone please help me out here. Thanks in advance!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you found a solution to your problem? I am having the same issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No @kiril123
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
all you need in commands is
[getmetricdemo]
filename=getmetricdemo.py
passauth = true
& the python file should be in the bin directory of the app, commands in local/default of the same app, meta file in metadata dir of same app.
yes if its a cluster you need to push them from deployer to all search heads.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @maniu1609
you should also set info regarding the command in metadata ---- local.meta or default.meta
[commands/commandname]
export = system
owner = nobody
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now i did few changes:
- Removed #! from #!/usr/bin/python line in system_python.path file
- Added chunked = true in commands.conf file
- Restarted splunk
After doing above changes, I again ran search command, Now I could see below error in job inspector:
06-22-2018 09:45:24.734 INFO ChunkedExternProcessor - Running process: /usr/bin/python getmetricdemo.py
06-22-2018 09:45:29.427 ERROR ChunkedExternProcessor - Failed attempting to parse transport header: _time,aaaa,bbbbb\r
06-22-2018 09:45:29.427 ERROR ChunkedExternProcessor - Error in 'getmetricdemo' command: External search command exited unexpectedly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PowerPacked
Thanks for your help. I have added as you mentioned. But still no luck. I have configured this in deployer. Does this custom search command need to be configured only in search head and works only in search head?
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
