I have a processing Custom Search Command which needs to filter some results.
I need to pass to this command all the events from the previous pipeline, however I get only chunked events of 50 at a time.
This is the Commands.conf configuration:
[command]
python.version = python3
filename = command.py
chunked = true
The query I'd like to use is:
index="main" | command
With chunked = true of course I get chunked results, however if I set it to false I get the following error:
External search command 'detectshipspoofing' returned error code 1. Script output = "error_message=RuntimeError at "/opt/splunk/etc/apps/detect_attacks/bin/splunklib/searchcommands/search_command.py", line 619 : Command detectshipspoofing appears to be statically configured for search command protocol version 1 and static configuration is unsupported by splunklib.searchcommands. Please ensure that default/commands.conf contains this stanza: [detectshipspoofing] filename = detect_ship_spoofing.py enableheader = true outputheader = true requires_srinfo = true supports_getinfo = true supports_multivalues = true supports_rawargs = true ".
How can I avoid this?
Thank you in advace!
