Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't use stats with custom streaming searchcommand

wesleya
Explorer
‎11-04-2020 09:49 AM

I have a custom search command that extracts a domain name from a url string field you specify into a new "domain" field. This works fine on a dev cluster we have setup (3 search heads, 2 indexers). For example this returns expected results:

index=main
| table _time url
| mycustomcommand field_in=url

but adding stats command at the end of the search causes the search to fail with the following error:

index=main
| table _time url
| mycustomcommmand field_in=url
| stats count by domain

2 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
[ip-{indexer_1_ip}] Streamed search execute failed because: Error in 'mycustomcommmand' command: External search command exited unexpectedly with non-zero error code 1..
[ip-{indexer_2_ip}] Streamed search execute failed because: Error in 'mycustomcommmand' command: External search command exited unexpectedly with non-zero error code 1..

Running the search directly on the indexer returns 0 results, because we don't have the url field extraction there. But there are no errors.

My questions are

  1. Where can I find the reason for the failure? I can't seem to find what the actual error is anywhere in the search.log.
  2. Any ideas about what's going on here, or documentation that may help?
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wesleya
Explorer
‎11-05-2020 09:10 AM

Thank you for the help! This led me to figure out I was only looking at the logs for the search head.  The search was streamed to indexers when using the stats command, and those indexer search.log files can be found through the job inspector under the Search Job Properties link.

The script errors found there (ImportError: No module named {mylib}) led me to this answer which explains the problem nicely: https://community.splunk.com/t5/Developing-for-Splunk-Enterprise/Custom-streaming-search-command-err...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2020 10:04 AM

Try appending | noop log_DEBUG=* to the search.  Then check the search log for debug messages that may help determine the cause of the error.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

wesleya
Explorer
‎11-05-2020 09:10 AM

Thank you for the help! This led me to figure out I was only looking at the logs for the search head.  The search was streamed to indexers when using the stats command, and those indexer search.log files can be found through the job inspector under the Search Job Properties link.

The script errors found there (ImportError: No module named {mylib}) led me to this answer which explains the problem nicely: https://community.splunk.com/t5/Developing-for-Splunk-Enterprise/Custom-streaming-search-command-err...

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...