Security

Custom search example assistance

phoenixdigital
Builder

Hi All,

I have just started looking at custom searches as a solution to a complex alert I would like to create. So first up I am trying to get the example on the Splunk website working
http://docs.splunk.com/Documentation/Splunk/latest/developer/searchscripts

I have created the python script (exactly as described on the above URL) in /opt/splunk/etc/apps/myapp/bin/trendlines.py . I have ensured it has execute permissions.

I then edited /opt/splunk/etc/apps/myapp/local/commands.conf and added the following lines.

[trendlines]
filename = trendlines.py

I restarted Splunk.

Now the following search gives me a list of RRP prices over time for each state

sourcetype=p5_reports | dedup _time, REGIONID | table  _time REGIONID RRP

If I want to pass this to the custom search what command do I use?

sourcetype=p5_reports | dedup _time, REGIONID | table  _time REGIONID RRP | trendlines sma1000(RRP)

Gives me an error of

Search operation 'trendlines' is unknown. You might not have permission to run this operation.

then trying this

sourcetype=p5_reports | dedup _time, REGIONID | table  _time REGIONID RRP | script python trendlines sma1000(RRP)

gives the error

command="trendlines", Unexpected first argument to script, expected '__GETINFO__' or '__EXECUTE__'.

then trying

sourcetype=p5_reports | dedup _time, REGIONID | table  _time REGIONID RRP | script python trendlines __EXECUTE__ sma1000(RRP)

returns

External search command 'trendlines' returned error code 1

What am I doing wrong here? The example seems pretty straight forward but I am doing something fundamentally wrong here.

0 Karma
1 Solution

phoenixdigital
Builder

Ok I found the problem.

From this page
http://docs.splunk.com/Documentation/Splunk/latest/developer/searchscripts

The line in the example

results = splunk.Intersplunk.readResults(None, None, False)

should be

results = splunk.Intersplunk.readResults(None, None, True)

This is the second time I have found an error in the examples in the documentation. The previous one being here http://splunk-base.splunk.com/answers/28697/example-setupxml-failure

I suggest someone at Splunk go through all tutorials and ensure examples provided actually work. It is very disheartening to waste hours of time on learning something when the official examples provided don't even work.

After fixing this mistake in the tutorials everything works when performing the following search

sourcetype=p5_reports | dedup _time, REGIONID sortby _time asc | trendlines __EXECUTE__ sma10(RRP) as newRRP | table _time, REGIONID, RRP, newRRP

Thankyou bwooden for your assistance regarding permissions as well.

View solution in original post

phoenixdigital
Builder

Ok I found the problem.

From this page
http://docs.splunk.com/Documentation/Splunk/latest/developer/searchscripts

The line in the example

results = splunk.Intersplunk.readResults(None, None, False)

should be

results = splunk.Intersplunk.readResults(None, None, True)

This is the second time I have found an error in the examples in the documentation. The previous one being here http://splunk-base.splunk.com/answers/28697/example-setupxml-failure

I suggest someone at Splunk go through all tutorials and ensure examples provided actually work. It is very disheartening to waste hours of time on learning something when the official examples provided don't even work.

After fixing this mistake in the tutorials everything works when performing the following search

sourcetype=p5_reports | dedup _time, REGIONID sortby _time asc | trendlines __EXECUTE__ sma10(RRP) as newRRP | table _time, REGIONID, RRP, newRRP

Thankyou bwooden for your assistance regarding permissions as well.

phoenixdigital
Builder

Ok I have dumbed down the example on the Splunk website to just add a single field to the results set.

See cutdown python script here

import csv
import sys
import splunk.Intersplunk
import string

# open logfile
f = open('/tmp/workfile', 'a')
f.write('Starting\n')
f.write('argv length ' + str(len(sys.argv)) + '\n')

(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)

if isgetinfo:
    splunk.Intersplunk.outputInfo(False, False, True, False, None, True)
    # outputInfo automatically calls sys.exit()

try:
    f.write('Getting results from Splunk\n')
    results = splunk.Intersplunk.readResults(None, None, False)
    f.write('Success\n')

    f.write('Size of resultset' + str(len(results)) + '\n')

    for res in results:
        res['newfield'] = 'its here'

    f.close()

    splunk.Intersplunk.outputResults(results)

except Exception, e:
    splunk.Intersplunk.generateErrorResults("Unhandled exception:  %s" % (e,))

local/commands.conf contains

[customtest]
filename=customtest.py

meta/local.meta contains

[commands/customtest]
access = read : [ * ], write : [ admin ]
export = system

[scripts/customtest.py]
access = read : [ * ], write : [ admin ]
export = system

I run this command in splunk with the search

sourcetype=p5_reports | dedup _time, REGIONID | table  _time REGIONID RRP | customtest

and get the result

command="customtest", Unexpected first argument to script, expected '__GETINFO__' or '__EXECUTE__'

So I run this command in splunk with the search

sourcetype=p5_reports | dedup _time, REGIONID | table  _time REGIONID RRP | customtest

and get the result

command="customtest", Unhandled exception: list index out of range 

Note watching the file I am writing to for debugging I see

Starting
argv length 2
Getting results from Splunk

Note it never says it retrieved the data from splunk.

Manually running via the commandline (worked out how to get rid of most errors)

/opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/myapp/bin/customtest.py __EXECUTE__

The script just starts and doesn't output anything

Note also that the search has results so it cant be that.

sourcetype=p5_reports | dedup _time, REGIONID | table  _time REGIONID RRP

Again either there is something fundamentally wrong with that example, the documentation or my understanding of it.

If its the third item I would appreciate being set straight.

0 Karma

phoenixdigital
Builder

I even tried a super cut down python script which should just send back what it recieves and that didn't work.

import csv
import sys
import splunk.Intersplunk
import string

(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)

if isgetinfo:
    splunk.Intersplunk.outputInfo(False, False, True, False, None, True)

results = splunk.Intersplunk.readResults(None, None, False)
splunk.Intersplunk.outputResults(results)
0 Karma

phoenixdigital
Builder

One other thing I have noticed is that when I run the script manually from the command line with
/opt/splunk/bin/python /opt/splunk/etc/apps/myapp/bin/trendlines.py EXECUTE

I get a bucketload of hashlib errors. Note these happen with ANY python script.

But most notably the error with the example on the splunk website is

Traceback (most recent call last):
File "/opt/splunk/etc/apps/myapp/bin/trendlines.py", line 4, in <module>
import splunk.Intersplunk
File "/opt/splunk/lib/python2.7/site-packages/splunk/__init__.py", line 2, in <module>
import util, os, logging
File "/opt/splunk/lib/python2.7/site-packages/splunk/util.py", line 18, in <module>
import splunk.clilib.cli_common as comm
File "/opt/splunk/lib/python2.7/site-packages/splunk/clilib/cli_common.py", line 6, in <module>
import lxml.etree as etree
ImportError: libxslt.so.1: cannot open shared object file: No such file or directory

I am running the latest Splunk on Oracle Linux 6

[root@theserver bin]# uname -a
Linux theserver 2.6.32-100.28.5.el6.x86_64 #1 SMP Wed Feb 2 18:40:23 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

I thought that Python was distributed with Splunk so there should be no dependancy issues?

0 Karma

bwooden
Splunk Employee
Splunk Employee

Are you trying to use the custom command from the Search app? If so, this is likely a permissions issue.

You can update from the GUI:
You'll need to go to Manager » Apps and click 'permissions' in Sharing column for 'myapp'. Change radio button for "Sharing for config file-only objects" from "This app only" to "All Apps".

Or you can update from CLI:
Create a file called /opt/splunk/etc/apps/myapp/metadata/local.meta that contains this

[]
access = read : [ * ], write : [ admin ]
export = system

After this is complete, you should be able to:

sourcetype=p5_reports | dedup _time, REGIONID | table  _time REGIONID RRP | trendlines sma1000(RRP)

If you'd like to share specific pieces of your app and not others, check out the docs on Splunk meta files.

0 Karma

phoenixdigital
Builder

I appreciate the answer that seemed to solve it partially. I am now getting the other error I mentioned above when I run the search you suggested.

command="trendlines", Unexpected first argument to script, expected 'GETINFO' or 'EXECUTE'.

and then this error when I add EXECUTE just after calling trendlines

External search command 'trendlines' returned error code 1

Is there something wrong with the example on Splunk's website?

Edit: Apologies for the formatting this editor messed it up... the EXECUTE commands have the underscores either side.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...