Splunk Enterprise

Custom search command avoid chunked results

Unige2021
Loves-to-Learn

I have a processing Custom Search Command which needs to filter some results.

I need to pass to this command all the events from the previous pipeline, however I get only chunked events of 50 at a time.

This is the Commands.conf configuration:

[command]
python.version = python3
filename = command.py
chunked = true

The query I'd like to use is: 

index="main" | command

With chunked = true of course I get chunked results, however if I set it to false I get the following error:

External search command 'detectshipspoofing' returned error code 1. Script output = "error_message=RuntimeError at "/opt/splunk/etc/apps/detect_attacks/bin/splunklib/searchcommands/search_command.py", line 619 : Command detectshipspoofing appears to be statically configured for search command protocol version 1 and static configuration is unsupported by splunklib.searchcommands. Please ensure that default/commands.conf contains this stanza: [detectshipspoofing] filename = detect_ship_spoofing.py enableheader = true outputheader = true requires_srinfo = true supports_getinfo = true supports_multivalues = true supports_rawargs = true ". 

How can I avoid this?

Thank you in advace!

Labels (1)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.