Re: Splunk Enterprise Python SDK doesn't recognize...

kmstepien · ‎02-05-2020

I have a test environment on my laptop. I get the following error:

Unknown search command 'mycommand'.

Details are:
- Using Splunk Enterprise 8.0.1 on macOS running Mojave
- Created a new app called python_sdk_app and revised permissions to “All apps”
- Installed Splunk SDK 1.6.11 in bin folder of the app using ‘pip install -t . splunk-sdk’
- Created commands.conf inside the default directory of the app (also tried the local directory)
- Restarted splunk

commands.conf file:
[mycommand]
chunked=true
filename=mycommand.py

package locations:
$ python -m site
sys.path = [
'/Applications/Splunk/splunk-sdk-python-1.6.11',
'/anaconda3/lib/python36.zip',
'/anaconda3/lib/python3.6',
'/anaconda3/lib/python3.6/lib-dynload',
'/anaconda3/lib/python3.6/site-packages',
'/anaconda3/lib/python3.6/site-packages/aeosa',
'/anaconda3/lib/python3.6/site-packages/splunk_sdk-1.6.11-py3.6.egg',
]

environment variables:
SHELL=/bin/bash
SPLUNK_HOME=/Applications/Splunk
PATH=/Library/Frameworks/Python.framework/Versions/3.6/bin:/anaconda3/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
PYTHONPATH=/Applications/Splunk/splunk-sdk-python-1.6.11

kmstepien · ‎02-05-2020

My commands.conf file was not in the correct format (i.e. hidden characters). Once that issue was resolved, the mycommand.py file could not be found so I removed the filename=mycommand.py from the commands.conf file and everything worked. This was my first question to the forum - unsure how to close it. I see no option for rescinding the question.

Splunk Enterprise Python SDK doesn't recognize custom search command

python

SDK

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?