Hi everyone, I am doing a custom command for some calculation, and i needed one of the fields which I have loaded in from the API using this following code in my first Python File:
url = 'intended API's url'
page = urllib2.urlopen(url)
content = page.read()
dengDictionary = json.loads(content)
The field which i needed for the calculation is now in one of my interesting fields when i look at the Splunk Search App. What do I have to do, or how should I do it, such that it will be able to get this interesting field into my second Python file for the calculation when I run my Custom Command?
Whether or not a field is in the "selected" fields or in the "interesting fields" area doesn't really matter in a way. If it's present in either area, that means that the field is present in the search results, which in turn means that your custom commands can access it.
As to how in general to make sure the field makes it to your custom command(s) safely, just
1) don't have a fields
command whack it away,
2) if you've one or more transforming commands like stats
, remember that you have to pass it on somehow (eg with with last(foo)
),
3) if your custom command is in a postProcess search make sure to read up on postProcess pitfalls and have the field referenced somewhere explicitly in the base search like with a fields
clause on the end of the search. If it's not explicitly in there Splunk may be optimizing it away which will make it seem to vanish from your base search results.
Whether or not a field is in the "selected" fields or in the "interesting fields" area doesn't really matter in a way. If it's present in either area, that means that the field is present in the search results, which in turn means that your custom commands can access it.
As to how in general to make sure the field makes it to your custom command(s) safely, just
1) don't have a fields
command whack it away,
2) if you've one or more transforming commands like stats
, remember that you have to pass it on somehow (eg with with last(foo)
),
3) if your custom command is in a postProcess search make sure to read up on postProcess pitfalls and have the field referenced somewhere explicitly in the base search like with a fields
clause on the end of the search. If it's not explicitly in there Splunk may be optimizing it away which will make it seem to vanish from your base search results.
Yep. At each pipe just picture a bunch of rows, each of which is just a set of key value pairs. A custom command can receive this and process it just like one of the core commands like "top" does.
Also if you feel like you're not finding enough examples of custom python search commands in the docs, remember you can read the source any of the ones that ship - eg in the search app - "$SPLUNK_HOME/etc/apps/search/bin"
Hi sideview, thanks for your time.
I have just started on splunk and to be honest i know very little about it.
I would like to ask if the usage of something like this would allow me to actually use my custom command with a interesting field:
sourcetype="json_onemap" | top center
center is one of my interesting fields
If i replace the "top" command, to my very own custom command, logically it would work right?