Splunk Search

Custom search command: preop only works when retainevents is false?

Lowell
Super Champion

I have a questions about custom search commands and the streaming_preop option. Is there some reason why the preopt is only honored if retevs (retainsevents) is false?

I have a situation where I would like to run a pre-processing command, and I want my search script to return events not results. As soon as I set retevs=True, then the pre-operation search command is not executed. There are other limitations on the streaming_preop listed in the docs, but there is nothing mentioned about any conflicts with retainsevents.

Just to be clear, this results in "addinfo" being called:

 # streaming, generating, retevs, reqsop, preop
 splunk.Intersplunk.outputInfo(False, False, False, True, "addinfo")

But, in this case "addinfo" is NOT called before my search command:

 # streaming, generating, retevs, reqsop, preop
 splunk.Intersplunk.outputInfo(False, False, True, True, "addinfo")

Any ideas?

steveyz
Splunk Employee
Splunk Employee

We don't run the streaming_preop if your command isn't the first reporting command. So basically you need to be a reporting command (retainsevents=false), and also you have to the first one. This is so that a reporting command can specify a optimization that will reduce what comes back from the indexers to only the sufficient statistics needed by that reporting command.

You can specify that your pre-op is required via the requires_preop setting, but that only defeats the second requirement. There is no way that you can force a preop to be run if your command is not a reporting command.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...