Streamable command can return more than one row?

ppatrikfr · ‎10-15-2019

Hello, I'm creating a custom command on splunk (as you can see bellow), my problem is that from one row I want to create two.

Is it possible?

Just to keep you in the context, what i'm trying to change this single line:
main_app first_relation second_relation

into two:
main_app first_relation
main_app second_relation

import sys
import re
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration


@Configuration(local=True)
class ExtractDicom(StreamingCommand):
    def stream(self, records):
        for record in records:
            record['from'] = None
            record['to'] = None
            if record['main_app'] is not None or record['main_app']!='':
                record['from'] = record['main_app']
                record['to'] = record['first_relation']
                record['from'] = record['main_app']
                record['to'] = record['second_relation']

            record['meh'] = {'data2', 'data3'}

            yield record


if __name__ == "__main__":
    dispatch(ExtractDicom, sys.argv, sys.stdin, sys.stdout, __name__)

Any kind of help I would appreciate 🙂

Streamable command can return more than one row?

SDK

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Streamable command can return more than one row?

SDK

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem