Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Custom Command Protocol Version 2-What needs to be changed when switching from version 1 to version 2?

pinVie
Path Finder
‎10-05-2016 01:17 AM

Hi all,

I am currently a little bit stuck ...

Commands.conf looks like this:
[tc]
chunked = true
filename = tc.py

[t]
retainsevents = true
streaming = true
filename = t.py

tc is the same command as t but it should use protocol version 2 instead of 1
The version 1 script works but when using the version 2 script, it just says
"Could not locate the time (_time) field on some results returned from the external search command 'tc'"

Documentation on version 2 is a little bit sketchy so,
--> what needs to be changed when switching from version 1 to version 2?
--> is there a sample custom streaming command for version 2 ?

Thanks

Labels (1)
Labels
0 Karma
Reply

spunk_enthusias
Path Finder
‎01-05-2023 12:38 PM

Ha, yep, I had to guess this myself. The custom search commands (or splunklib in general) docs could use some work.

0 Karma
Reply

liujie
New Member
‎02-20-2018 11:03 AM

I tried to load the SDK for Python and encountered a syntax error because the SDK was created using Python 2.7 and I am using Python 3.5. Am I doing something wrong? I loaded the SDK egg that has a time stamp of 2016. Is there a new version of the SDK?

Thanks!

0 Karma
Reply

Anam
Community Manager
Community Manager
‎02-20-2018 11:15 AM

Hi liujie

This question was posted 2 years ago. If none of the answers were able to help you with your question, please post a new question so you can get maximum exposure and help.

Thanks

0 Karma
Reply

ays7abt
New Member
‎04-19-2017 11:38 PM

Hello guys,

is the now maybe a other documentation out, which explains the interface?

0 Karma
Reply

jeff
Contributor
‎03-02-2017 02:04 PM

I had the same questions. The online documentation provides not helpful advice like:

alt text

Turns out it's a problem with their documentation parsing from the source code. You can find this info in the comments of splunklib/searchcommands/generating_command.py. eg:

Reporting Generating command
============================

Commands configured like this will run as the first command on a search head on the reports pipeline.

+----------+---------------------------------------------------+------+
| Pipeline | ...  | SCP 2                                             |
+==========+=...==+===================================================+
| events   | ...  | Add this configuration setting to your command    |
|          | ...  | setting to your command class:                    |
|          | ...  |                                                   |
|          | ...  | .. code-block:: python                            |
|          | ...  |     @Configuration(type='reporting')              |
|          | ...  |     class SomeCommand(GeneratingCommand)          |
|          | ...  |         ...                                       |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
+----------+---------------------------------------------------+------+
Preview file
1 KB
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-05-2016 08:52 AM

There are some great examples in the Python SDK:

https://github.com/splunk/splunk-sdk-python/tree/master/examples/searchcommands_app

alt text

At time of writing:

├── bin
│   ├── splunklib
│   │   └── searchcommands ....... splunklib.searchcommands module
│   ├── countmatches.py .......... CountMatchesCommand implementation
│   ├── generatetext.py .......... GenerateTextCommand implementation
│   ├── pypygeneratetext.py ...... Executes generatetext.py with PyPy
│   ├── simulate.py .............. SimulateCommand implementation
│   ├── sum.py ................... SumCommand implementation
│   └── 
├── default
│   ├── data
│   │   └── ui
│   │       └── nav
│   │           └── default.xml ..
│   ├── app.conf ................. Used by Splunk to maintain app state [1]
│   ├── commands.conf ............ Search command configuration [2]
│   ├── logging.conf ............. Python logging[3] configuration in ConfigParser[4] format
│   └── searchbnf.conf ........... Search assistant configuration [5]
└── metadata
    └── local.meta ............... Permits the search assistant to use searchbnf.conf[6]
Preview file
1 KB
Reply

gwobben
Communicator
‎10-05-2016 01:39 AM

Well, there's nothing wrong with your configuration. I can't look into the Python script or the query so it's really hard to debug. As inspiration you might want to look a what others wrote, e.g.: https://answers.splunk.com/answers/387430/cant-we-use-a-custom-search-command-with-stats-in.html
Hope this helps...

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...