Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Custom streaming command receives no events

wipark
Explorer
‎05-21-2025 08:26 AM

I am developing a custom streaming command. During tests and debugging I noticed the command works fine in this search:

index="_internal" | head 1 | table host | customcommand

and produces the following result:

<class 'generator'>

But when I use the command in the following search it produces no results:

index="_internal" | head 1 | customcommand

This is the code:

@Configuration()
class CustomCommand(StreamingCommand):

    def stream(self, events):
        yield {"event": str(type(events))}

and this is commands.conf:

[customcommand]
chunked = true
filename = customcommand.py
python.version = python3
requires_srinfo = true
streaming = true

How can I fix that?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎05-21-2025 08:40 AM

Hi @wipark 

Your command yields a single event with the type of the events parameter, but does not process or yield the actual input events. In a streaming command, you must iterate over the incoming events and yield output for each one. Your current implementation only yields once, regardless of input.

Try this updated code:

@Configuration()
class CustomCommand(StreamingCommand):
    def stream(self, events):
        for event in events:
            event["event"] = str(type(events))
            yield event

 

The stream method receives an iterator of events. You need to loop over events and yield each event (usually you would modify the events to perform your commands intended function..!).
Your original code only yielded once, so unless the search pipeline expected a single event, nothing was passed downstream.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

wipark
Explorer
‎05-21-2025 08:58 AM

This is a simple code to reproduce the problem. My actual code iterates over the events. The problem is when I dont use the table command before my customcommand there is no events to iterate over. In this case without table there is no results not even one. Also my search in this example uses head 1, thus there is only one input  result.

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎05-21-2025 08:40 AM

Hi @wipark 

Your command yields a single event with the type of the events parameter, but does not process or yield the actual input events. In a streaming command, you must iterate over the incoming events and yield output for each one. Your current implementation only yields once, regardless of input.

Try this updated code:

@Configuration()
class CustomCommand(StreamingCommand):
    def stream(self, events):
        for event in events:
            event["event"] = str(type(events))
            yield event

 

The stream method receives an iterator of events. You need to loop over events and yield each event (usually you would modify the events to perform your commands intended function..!).
Your original code only yielded once, so unless the search pipeline expected a single event, nothing was passed downstream.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

wipark
Explorer
‎05-22-2025 03:42 AM

Thanks, that solved the problem. It seems that for the code to work correctly, I need to yield the original record, or at least some fields of it. I haven’t tested thoroughly yet, but today I started testing based on this example. 

The following code works as expected for both of these queries:

index=_internal | head 1 | table host | streamingcsc
index=_internal | head 1 | streamingcsc
#!/usr/bin/env python

import os, sys

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib"))
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators


@Configuration()
class StreamingCSC(StreamingCommand):
    def stream(self, records):
        for record in records:
            record["event"] = str(type(records))
            yield record


dispatch(StreamingCSC, sys.argv, sys.stdin, sys.stdout, __name__)

 

But The following code only works with this query:

index=_internal | head 1 | table host | streamingcsc
#!/usr/bin/env python

import os, sys

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib"))
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators


@Configuration()
class StreamingCSC(StreamingCommand):
    def stream(self, records):
        for record in records:
            yield {"event": str(type(records))}


dispatch(StreamingCSC, sys.argv, sys.stdin, sys.stdout, __name__)

 

0 Karma
Reply
Solved! Jump to solution

wipark
Explorer
‎05-24-2025 01:38 AM

Upon further investigation It seems the _time field needs to be present for Splunk to show the results.  A code like this works:

def stream(self, events):
    yield {"myfield": "fff", "_time": "1748073052.114"}
0 Karma
Reply
Solved! Jump to solution

wipark
Explorer
‎05-21-2025 09:05 AM

This is a simple code to reproduce the problem. My actual code iterates over the events. The problem is when I dont use the table command before my customcommand there is no events to iterate over. In this case without table there is no results not even one. Also my search in this example uses head 1, thus there is only one input  result. 

I will try your version when I got back to work.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...