Archive

Custom search script returning only first value in array/dictionary

joea9
Explorer

I have a custom search script (Python) which is nothing more than a dummy script at the moment, as I want to get the very basics working before building any logic into it.

I have created the following static string in my python script (I've also added the relevant lines to command.py):

searchstring = [{"ip":"192.168.1.10","hostname":"coffee"},{"ip":"192.168.1.15","hostname":"tea"}]

and then returning the string with:

splunk.Intersplunk.outputResults(searchstring)

I can then run the following from the search bar:

[| script myscript| return $ip]

This returns the '192.168.1.10' and searches for related events,.

But, how do I get it to also return the second IP address in the array, and search related events for both? At the moment it is just returning the first ip value and ignoring the rest.

EDIT-

It seems I can return two IPs like this:

[| script myscript| return 2 $ip]

But in my real script there could be 10 IPs or 1000 IPs, I'll never know beforehand. So I really need a way of returning all of them, rather than a specific number of them.
In theory I could put in a ridiculously high number after 'return', which would hopefully catch everything, but that seems like an ugly solution.

0 Karma
1 Solution

vganjare
Builder

Following are couple of options:

Option 1
Change the query to return the different values of ip addresses. e.g.

[| script myscript| stats values(ip) as ips | return $ips]

Option 2
Use subsearch to compute the ip count (dynamically) and use it in the main search. e.g.

[| script myscript| return [| script myscript | stats count(ip) as count | return $count] $ip]

Thanks!!

View solution in original post

vganjare
Builder

Following are couple of options:

Option 1
Change the query to return the different values of ip addresses. e.g.

[| script myscript| stats values(ip) as ips | return $ips]

Option 2
Use subsearch to compute the ip count (dynamically) and use it in the main search. e.g.

[| script myscript| return [| script myscript | stats count(ip) as count | return $count] $ip]

Thanks!!

View solution in original post

joea9
Explorer

Option 2 worked for me, thanks!

0 Karma

vganjare
Builder

You can try converting the searchstring in following format:

searchstring = "ip=192.168.1.10:hostname=coffee~ip=192.168.1.15:hostname=tea"
Here, two different elements are seperated by ~ and parameters are seperated by : (colon). Once you return the result, you can split the searchstring , and pick the first token or second token. Once the token is selected (ie.g ip=192.168.1.10:hostname=coffee), you can again split the token to find all the parameters till you get the ip address.

Thanks!!

0 Karma

Arun_N_007
Communicator

Since you are returning values using $ip.

Even if you construct multi valued field it will be returned like "Value1 Value2". You need to construct String like

ip= "Value1 OR Value2" while using return.

0 Karma

joea9
Explorer

I managed to get the test working at least, which in effect works similarly to what you've suggested:

[| script myscript| return 2 $ip]

This returns both IPs, but in my real script, there will be any number of IPs, could be 10, or 1000, I really just want to return all of them, I'll never know the exact number beforehand.

The only workaround I can imagine at the moment is to just put a ridiculously high number in the search string so that I will always get all of them, but that's a very ugly way of doing it.

I'll edit this in to the main post.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!