Hi,
I created a custom search command following the instruction in the page and it was working fine (https://www.splunk.com/en_us/blog/tips-and-tricks/write-your-own-search-language.html)
however stopped working suddenly. Tried to put some file creation statement, the files are not created - looks the python program is not running at all.
Python code (C:\Program Files\Splunk\etc\apps\search\bin)
import splunk.Intersplunk
def getShape(text):
phrase1 = "upload"
phrase2 = "TrustedInstaller"
description = []
if (phrase1 in text):
description.append("Infra")
elif (phrase2 in text):
description.append("InstallationGroup")
else:
description.append("Misc")
Corpus = pd.read_csv(r"E:\corpus_single.csv",encoding='latin-1')
Corpus.to_csv(r'E:\corpus_func.csv', index = False)
if len(description) == 0
return "normal"
return "_".join(description)
# get the previous search results
results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults()
Corpus = pd.read_csv(r"E:\corpus_single.csv",encoding='latin-1')
Corpus.to_csv(r'E:\corpus_out.csv', index = False)
# for each results, add a 'shape' attribute, calculated from the raw event text
for result in results:
result["assignmentgrp"] = getShape(result["Message"])
# output results
splunk.Intersplunk.outputResults(results)
---------
Entry in command.conf
(folder :C:\Program Files\Splunk\etc\apps\search\default)
[getgroup]
filename = getgroup.py
---------------
Search Query
source="winlog1.txt" | rex field=_raw "Message: <(?<Message>.*)>" | dedup Message | table Message, getgroup
--------
winlog1.txt sample data - having around 10 records
2016-09-28 04:30:31, Info Message: <Ending TrustedInstaller initialization.>
2016-09-28 04:30:31, Info Message: <Starting the TrustedInstaller main loop.>
2016-09-28 04:30:31, Info Message: <TrustedInstaller service starts successfully.>
2016-09-28 04:30:31, Info Message: <Initializing online with Windows opt-in: False.>
Is there anything in C:\Program Files\Splunk\var\log\splunk\python.log ?
Its also worth checking the search log, Inspect your search through Job -> Inspect Job and then click the "search.log" link.
Does this shine any light on things?