Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create pre-actions to a custom StreamingCommand with SDK v2?

davietch
Path Finder
‎01-31-2019 02:50 AM

Hi,

I am trying to build a new custom StreamingCommand with SDK v2.

I would like this command to create a unique folder when it starts. The folder name is randomly generated with python.
The issue is that the streaming command calls these few lines of code (where I create a random folder) several times along the time the command run.
This means that instead of having just one folder, the command can create hundred of folder if the command run for a long time...

I think it is the normal behavior of a streaming command where it is called on a set of events. But is there a way to run some part of the code just once, at the beginning of the search job?

I tried to place my code outside of the 

def stream(self, records):

and right before :

dispatch(MyCommand, sys.argv, sys.stdin, sys.stdout, __name__)

But it is not changing anything.

Any idea?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎01-31-2019 04:36 AM

You need to change your command to not allow it to run in preview. There’s a setting in commands.conf to disable preview for the spl command.

With preview on, chunks of data go through your command as they arrive causing your code to execute multiple times. With preview off, your command only executes once.

Reply

jkat54
SplunkTrust
SplunkTrust
‎01-31-2019 04:37 AM 
run_in_preview = [true|false]
* Specify whether to run this command if generating results just for preview
  rather than final output.
* Defaults to true
0 Karma
Reply

davietch
Path Finder
‎01-31-2019 04:50 AM

Hi Jkat,

Thank you but I already disabled it:

run_in_preview = false

Actually, this solved one issue:
When running a "stats count by X", and then applied my custom command, I was received the preview data. Turning this setting to false forced Splunk to give me the final result for each X field.
The problem is that it does not block Splunk from running several times the "stream" function...

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎01-31-2019 04:56 AM

Can you share your commands.conf?

0 Karma
Reply

davietch
Path Finder
‎01-31-2019 05:13 AM

Sure:

[savetofile]
filename = savetofile.py
enableheader = true
outputheader = true
requires_srinfo = true
stderr_dest = message
supports_getinfo = true
supports_rawargs = true
supports_multivalues = true
run_in_preview = false
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎01-31-2019 06:17 PM

I’ve built everything using intersplunk.py so far. I don’t have much experience with v2 of the search sdk. I will say I think you have to have chunked=true in commands.conf for v2 commands. Not sure what else could cause it from a settings stand point.

Might have to share your code so we can help more.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...