Developing for Splunk Enterprise

How to resolve Splunk SDK for Python custom streaming search command?

Communicator

I am building a custom streaming search command using the Python SDK and the instructions laid out here. So far, I'm just testing the basic process of trying to get the command to run from within Splunk (i.e. the command itself doesn't do anything yet). However, I'm running into trouble simply importing the SDK libraries shown in the example. Here is a stack trace from the job inspector:

alt text

I copied the splunklib folder from the SDK into my app's bin directory, and below is the streaming command's code so far. Anyone have an idea what's wrong here? I'm not sure what "No section: 'handlers'" would mean in this context.

import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators


@Configuration()
class ipasnCommand(StreamingCommand):

    def stream(self, events):
        # Put your event transformation code here
        pass

dispatch(ipasnCommand, sys.argv, sys.stdin, sys.stdout, __name__)
1 Solution

Communicator

Solution was to simply add this to logging.conf:

[handlers]
keys = app, splunklib, stderr

View solution in original post

Communicator

Solution was to simply add this to logging.conf:

[handlers]
keys = app, splunklib, stderr

View solution in original post

Contributor

Where is this logging.conf file?
Thanks

0 Karma

Motivator

'logging.conf' file should be under "$SPLUNK_HOME/etc//default" folder

0 Karma

SplunkTrust
SplunkTrust

Never change files in /etc/system/default

Put it in $splunk_home/etc/apps/appName/local

0 Karma

SplunkTrust
SplunkTrust

You're importing Configuration which I assume is causing this.

Try breaking your imports out into one line each and see what line causes the error. 99% chance it's Configuration.

from splunklib.searchcommand import dispatch
from splunklib.searchcommand import Confiuration
...
And so on

It's looking for a .conf file with a section called handlers... Example:

[handlers]
Key=value

0 Karma

Communicator

Thanks, just figured that part out on my own I think. Does anyone have an example of a streaming command that actually does something? I'm not sure what the syntax is for modifying events in the "def stream(self, events):" function. Having pass in there doesn't seem to work.... the web interface is throwing: TypeError at "/opt/splunk/etc/apps/ip_asn/bin/splunklib/searchcommands/internals.py", line 519 : 'NoneType' object is not iterable

0 Karma

Communicator

Never mind, figured it out. Just need to iterate over events and yield each one.

0 Karma

Communicator

Update, I stuck this in logging.conf:

[handlers]
keys =

Now, there is a fun new error:

02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/ip_asn/bin/splunklib/searchcommands/environment.py", line 102, in configure_logging
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:     fileConfig(filename, {'SPLUNK_HOME': splunk_home})
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/lib/python2.7/logging/config.py", line 86, in fileConfig
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:     _install_loggers(cp, handlers, disable_existing_loggers)
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/lib/python2.7/logging/config.py", line 205, in _install_loggers
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:     log.addHandler(handlers[hand])
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr: KeyError: 'stderr'
0 Karma

Communicator

Okay, so just by playing around with it, I seem to have worked around the errors.

Using this did the trick:
[handlers]
keys = app, splunklib, stderr