Re: Custom search command always shows Statistics ...

plucas_splunk · ‎08-27-2016

I have a custom search command nbclosest that returns a subset of search results used like:

index="muni" | nbclosest

That is if there were results containing log entries A, B, C, D, E, it would return a subset, say, A, B, D.

It works (in that only a subset of log entries are returned), but when I run the search, the UI always shows the Statistics tab containing every field in column format ( _raw, _time, ... date_wday, ...).

I want it to show the Events tab as usual, but only the returned subset. (The Events tab shows all the original pre-filtered log entries.)

How can I get what I want?

FYI, my commands.conf is:

[nbclosest]
filename = nbclosest.py
enableheader = false
overrides_timeorder = true
required_fields = _time,vehicle_id,vehicle_distance,stop_tag

The script is:

#! /usr/bin/env python

import csv
import operator
import sys

K_STAG      = 'stop_tag'
K_TIME      = '_time'
K_VDISTANCE = 'vehicle_distance'
K_VID       = 'vehicle_id'

vehicle_dict = { }

try:
    reader = csv.DictReader( sys.stdin )
    headers = reader.fieldnames
    writer = csv.DictWriter( sys.stdout, headers )
    writer.writeheader()

    for row in reader:
        vid = row[ K_VID ]
        if vid not in vehicle_dict:
            vehicle_dict[ vid ] = row
        else:
            old_row = vehicle_dict[ vid ]
            old_stop = old_row[ K_STAG ]
            new_stop =     row[ K_STAG ]
            if new_stop == old_stop:
                old_distance = int( old_row[ K_VDISTANCE ] )
                new_distance = int(     row[ K_VDISTANCE ] )
                if new_distance <= old_distance:
                    vehicle_dict[ vid ] = row
            else:
                writer.writerow( old_row )
                vehicle_dict[ vid ] = row

    remaining_rows = vehicle_dict.values()
    for row in sorted( remaining_rows, key=operator.itemgetter( K_TIME ) ):
        writer.writerow( row )

except Exception as e:
    import traceback
    stack = traceback.format_exc()
    print >>sys.stderr, "Unhandled exception: %s; %s" % (e, stack)

irsysintegratio · ‎09-11-2017

Actually it does not need v2. V1 works as well. Just need to set this in your command.conf for the command:
retainsevents=true

plucas_splunk · ‎09-11-2017

But new code should use v2.

inventsekar · ‎08-28-2016

Raw event searches will show the "Events" tab, by default.
Report-generating searches (stats, timechart, top, etc) will show the "Statistics" tab by default.

About the search results tabs -
When you run a search, the types of search commands you use affects which
search results tab get populated. If your search just retrieves events, you can
view the results in the Events tab, but not in the other tabs. If the search includes
transforming commands, you can view the results in the Statistics and
Visualization tabs.
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchTutorial/Aboutthesearchtabs

on your python script, i am not seeing any splunk commands. if you give us the splunk query, maybe, we can see, if possible to add a "raw event search command" at the end and make it return the "Events" tab by default.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

plucas_splunk · ‎08-29-2016

Actually, I finally figured out how to use the protocol version 2 (the documentation is pretty sketchy). My scripts using v2 works as I want. So I suppose never mind.

irsysintegratio · ‎09-11-2017

How can you do that please?

Custom search command always shows Statistics tab

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience