- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Custom Commands - Can Streaming Command return...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Custom Commands - Can Streaming Command return more than 1 row per result???
Hello, I'm creating a custom command on splunk (as you can see bellow), my problem is that from one row I want to create two.
Is it possible?
Just to keep you in the context, what i'm trying to change this single line:
main_app first_relation second_relation
into two:
main_app first_relation
main_app second_relation
import sys
import re
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration
@Configuration(local=True)
class ExtractDicom(StreamingCommand):
def stream(self, records):
for record in records:
record['from'] = None
record['to'] = None
if record['main_app'] is not None or record['main_app']!='':
record['from'] = record['main_app']
record['to'] = record['first_relation']
record['from'] = record['main_app']
record['to'] = record['second_relation']
record['meh'] = {'data2', 'data3'}
yield record
if __name__ == "__main__":
dispatch(ExtractDicom, sys.argv, sys.stdin, sys.stdout, __name__)
Any kind of help I would appreciate 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Line 13 and 14, you're creating your first row, in line 15 and 16, you are overriding the same row instead of crating a new row. That is why you see only one row. Not sure what you're trying to achieve here, here is the quick hack.
import sys
import re
import copy
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration
@Configuration(local=True)
class ExtractDicom(StreamingCommand):
def stream(self, records):
for record in records:
record['from'] = None
record['to'] = None
ret_records=[]
if record['main_app'] is not None or record['main_app']!='':
ret_records[0] = copy.deepCopy(record)
ret_records[0]['from'] = record['main_app']
ret_records[0]['to'] = record['first_relation']
ret_records[1] = copy.deepCopy(record)
ret_records[1]['from'] = record['main_app']
ret_records[1]['to'] = record['second_relation']
#Totally unsure what this row is trying to do!
record['meh'] = {'data2', 'data3'}
for ret_record in ret_records:
yield ret_record
if __name__ == "__main__":
dispatch(ExtractDicom, sys.argv, sys.stdin, sys.stdout, __name__)
This is in no way production ready code. Like I said, I am unsure what you're trying to acheive. I'm just pointing out where you're going wrong.
You could also totally achieve this directly in SPL as below
| <your search>
| eval from=if(isnotnull(main_app), main_app, null())
| eval to=if(isnotnull(main_app), mvappend(first_relation, second_relation), null())
| mvexpand to
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please mark as answer if this is what you were looking for
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
