Solved: Re: How to resolve Splunk SDK for Python custom st...

kcnolan13 · ‎02-02-2017

I am building a custom streaming search command using the Python SDK and the instructions laid out here. So far, I'm just testing the basic process of trying to get the command to run from within Splunk (i.e. the command itself doesn't do anything yet). However, I'm running into trouble simply importing the SDK libraries shown in the example. Here is a stack trace from the job inspector:

I copied the splunklib folder from the SDK into my app's bin directory, and below is the streaming command's code so far. Anyone have an idea what's wrong here? I'm not sure what "No section: 'handlers'" would mean in this context.

import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators


@Configuration()
class ipasnCommand(StreamingCommand):

    def stream(self, events):
        # Put your event transformation code here
        pass

dispatch(ipasnCommand, sys.argv, sys.stdin, sys.stdout, __name__)

kcnolan13 · ‎02-02-2017

Solution was to simply add this to logging.conf:

[handlers]
keys = app, splunklib, stderr

View solution in original post

kcnolan13 · ‎02-02-2017

Solution was to simply add this to logging.conf:

[handlers]
keys = app, splunklib, stderr

mrgibbon · ‎06-06-2018

Where is this logging.conf file?
Thanks

jawaharas · ‎10-03-2018

'logging.conf' file should be under "$SPLUNK_HOME/etc//default" folder

jkat54 · ‎10-03-2018

Never change files in /etc/system/default

Put it in $splunk_home/etc/apps/appName/local

jkat54 · ‎02-02-2017

You're importing Configuration which I assume is causing this.

Try breaking your imports out into one line each and see what line causes the error. 99% chance it's Configuration.

from splunklib.searchcommand import dispatch
from splunklib.searchcommand import Confiuration
...
And so on

It's looking for a .conf file with a section called handlers... Example:

[handlers]
Key=value

kcnolan13 · ‎02-02-2017

Thanks, just figured that part out on my own I think. Does anyone have an example of a streaming command that actually does something? I'm not sure what the syntax is for modifying events in the "def stream(self, events):" function. Having pass in there doesn't seem to work.... the web interface is throwing: TypeError at "/opt/splunk/etc/apps/ip_asn/bin/splunklib/searchcommands/internals.py", line 519 : 'NoneType' object is not iterable

kcnolan13 · ‎02-02-2017

Never mind, figured it out. Just need to iterate over events and yield each one.

kcnolan13 · ‎02-02-2017

Update, I stuck this in logging.conf:

[handlers]
keys =

Now, there is a fun new error:

02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/ip_asn/bin/splunklib/searchcommands/environment.py", line 102, in configure_logging
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:     fileConfig(filename, {'SPLUNK_HOME': splunk_home})
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/lib/python2.7/logging/config.py", line 86, in fileConfig
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:     _install_loggers(cp, handlers, disable_existing_loggers)
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/lib/python2.7/logging/config.py", line 205, in _install_loggers
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:     log.addHandler(handlers[hand])
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr: KeyError: 'stderr'

kcnolan13 · ‎02-02-2017

Okay, so just by playing around with it, I seem to have worked around the errors.

Using this did the trick:
[handlers]
keys = app, splunklib, stderr

How to resolve Splunk SDK for Python custom streaming search command?

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?