Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

StreamingCommand Inappropriately Removes Leading Spaces

malvidin
Communicator
‎07-23-2020 03:42 PM

I can find a way to get results from a StreamingCommand to retain leading spaces. It doesn't matter if the field was fine before the app, it is gone afterward. Or even if the field wasn't processed by the command.

 

| makeresults
| eval test1 = "  "
| eval test2 = urldecode("%20%20")
| eval ok_here = if(test1==test2 AND len(test1) == 2, "true", "false")
| eval value_for_command = "nothing_special"
| customstreamingcommand field=value_for_command
| eval still_ok_here = if(test1==test2 AND len(test1) == 2, "true", "false")

In this simple case, "still_ok_here"  is false, but the same test was true before the command.

 

 

Labels (1)
Labels
0 Karma
Reply

malvidin
Communicator
‎07-25-2020 10:03 AM

I found a solution, but the problem may not be with the SDK. The SDK reads the data passed from the search command, but Splunk strips the data when passed back to Splunk.

The workaround is to modify the SDK 'splunklib.searchcommands' CSV dialect to pass the data back with csv.QUOTE_ALL in internals.py. Although this is not recommended by Splunk, it is likely preferable to modifying other Splunk internals.

Reply

malvidin
Communicator
‎07-26-2020 03:46 AM

csv.QUOTE_NONNUMERIC also works, with potentially less overhead that csv.QUOTE_ALL

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...