Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk.Intersplunk.outputResults sending another header? Or bad commands.conf options?

rshoward
Path Finder
‎04-08-2011 10:14 PM

When using splunk.Intersplunk.outputResults for even 1 record as a streaming command, I get an extra header with a improperly casted time field that ends up making the search compain about fields coming back in the wrong time order thus throwing an error.

The external search command 'command' did not return events in descending time order, as expected.

if I turn off streaming, I get:

    _time                    commandfield    logfield
1   4/3/74 10:46:24.314 AM   commandfield    logfield
2   4/8/11 10:00:26.000 PM   5.39677852134   value1
3   4/8/11 10:00:26.000 PM   5.39677852134   value2
4   4/8/11 10:00:12.000 PM   5.1593157535    value3
5   4/8/11 10:00:12.000 PM   5.1593157535    value4
6   4/8/11 9:59:55.000 PM    5.52337405618   value5
7   4/8/11 9:59:55.000 PM    5.53858132907   value6
8   4/8/11 9:59:55.000 PM    5.53426175508   value7

I've tried using outputheader=true and I get zero results

I'm probably doing something dumb, backwards or wrong but I just don't see it yet...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎04-14-2011 04:04 AM

That output looks very strange.

I'm unsure about all the settings for your command in command.conf.

I'm also unsure what your command is doing with the _time values -- whether it's casting them to a string, for example.

This would be putting a bandaid on cancer, but you might want to look at the generates_timeorder and overrides_timeorder settings for your command in commands.conf.

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎04-14-2011 04:04 AM

That output looks very strange.

I'm unsure about all the settings for your command in command.conf.

I'm also unsure what your command is doing with the _time values -- whether it's casting them to a string, for example.

This would be putting a bandaid on cancer, but you might want to look at the generates_timeorder and overrides_timeorder settings for your command in commands.conf.

Reply
Solved! Jump to solution

rshoward
Path Finder
‎04-14-2011 04:24 PM

this was all in my fast and flustered attempt at getting my first streaming command, and first python code (Yes I've been living under a rock, but only renting), to run before the weekend.

I ended up with http://answers.splunk.com/questions/13636/calculate-entropy-just-entropy-not-change-in-entropy-like-...

I came to the conclusion that I might have been using the functions completely backwards. (bulk for streaming etc)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...