Solved: Re: Custom search script returning only first valu...

joea9 · ‎05-20-2015

I have a custom search script (Python) which is nothing more than a dummy script at the moment, as I want to get the very basics working before building any logic into it.

I have created the following static string in my python script (I've also added the relevant lines to command.py):

searchstring = [{"ip":"192.168.1.10","hostname":"coffee"},{"ip":"192.168.1.15","hostname":"tea"}]

and then returning the string with:

splunk.Intersplunk.outputResults(searchstring)

I can then run the following from the search bar:

[| script myscript| return $ip]

This returns the '192.168.1.10' and searches for related events,.

But, how do I get it to also return the second IP address in the array, and search related events for both? At the moment it is just returning the first ip value and ignoring the rest.

EDIT-

It seems I can return two IPs like this:

[| script myscript| return 2 $ip]

But in my real script there could be 10 IPs or 1000 IPs, I'll never know beforehand. So I really need a way of returning all of them, rather than a specific number of them.
In theory I could put in a ridiculously high number after 'return', which would hopefully catch everything, but that seems like an ugly solution.

vganjare · ‎05-21-2015

Following are couple of options:

Option 1
Change the query to return the different values of ip addresses. e.g.

[| script myscript| stats values(ip) as ips | return $ips]

Option 2
Use subsearch to compute the ip count (dynamically) and use it in the main search. e.g.

[| script myscript| return [| script myscript | stats count(ip) as count | return $count] $ip]

Thanks!!

View solution in original post

vganjare · ‎05-21-2015

Following are couple of options:

Option 1
Change the query to return the different values of ip addresses. e.g.

[| script myscript| stats values(ip) as ips | return $ips]

Option 2
Use subsearch to compute the ip count (dynamically) and use it in the main search. e.g.

[| script myscript| return [| script myscript | stats count(ip) as count | return $count] $ip]

Thanks!!

joea9 · ‎05-26-2015

Option 2 worked for me, thanks!

vganjare · ‎05-21-2015

You can try converting the searchstring in following format:

searchstring = "ip=192.168.1.10:hostname=coffee~ip=192.168.1.15:hostname=tea"
Here, two different elements are seperated by ~ and parameters are seperated by : (colon). Once you return the result, you can split the searchstring , and pick the first token or second token. Once the token is selected (ie.g ip=192.168.1.10:hostname=coffee), you can again split the token to find all the parameters till you get the ip address.

Thanks!!

Arun_N_007 · ‎05-21-2015

Since you are returning values using $ip.

Even if you construct multi valued field it will be returned like "Value1 Value2". You need to construct String like

ip= "Value1 OR Value2" while using return.

joea9 · ‎05-21-2015

I managed to get the test working at least, which in effect works similarly to what you've suggested:

[| script myscript| return 2 $ip]

This returns both IPs, but in my real script, there will be any number of IPs, could be 10, or 1000, I really just want to return all of them, I'll never know the exact number beforehand.

The only workaround I can imagine at the moment is to just put a ridiculously high number in the search string so that I will always get all of them, but that's a very ugly way of doing it.

I'll edit this in to the main post.

Custom search script returning only first value in array/dictionary

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!