Splunk Search

Custom Command Protocol Version 2-What needs to be changed when switching from version 1 to version 2?

pinVie
Path Finder

Hi all,

I am currently a little bit stuck ...

Commands.conf looks like this:
[tc]
chunked = true
filename = tc.py

[t]
retainsevents = true
streaming = true
filename = t.py

tc is the same command as t but it should use protocol version 2 instead of 1
The version 1 script works but when using the version 2 script, it just says
"Could not locate the time (_time) field on some results returned from the external search command 'tc'"

Documentation on version 2 is a little bit sketchy so,
--> what needs to be changed when switching from version 1 to version 2?
--> is there a sample custom streaming command for version 2 ?

Thanks

Labels (1)
0 Karma

spunk_enthusias
Path Finder

Ha, yep, I had to guess this myself. The custom search commands (or splunklib in general) docs could use some work.

0 Karma

liujie
New Member

I tried to load the SDK for Python and encountered a syntax error because the SDK was created using Python 2.7 and I am using Python 3.5. Am I doing something wrong? I loaded the SDK egg that has a time stamp of 2016. Is there a new version of the SDK?

Thanks!

0 Karma

Anam
Community Manager
Community Manager

Hi liujie

This question was posted 2 years ago. If none of the answers were able to help you with your question, please post a new question so you can get maximum exposure and help.

Thanks

0 Karma

ays7abt
New Member

Hello guys,

is the now maybe a other documentation out, which explains the interface?

0 Karma

jeff
Contributor

I had the same questions. The online documentation provides not helpful advice like:

alt text

Turns out it's a problem with their documentation parsing from the source code. You can find this info in the comments of splunklib/searchcommands/generating_command.py. eg:

Reporting Generating command
============================

Commands configured like this will run as the first command on a search head on the reports pipeline.

+----------+---------------------------------------------------+------+
| Pipeline | ...  | SCP 2                                             |
+==========+=...==+===================================================+
| events   | ...  | Add this configuration setting to your command    |
|          | ...  | setting to your command class:                    |
|          | ...  |                                                   |
|          | ...  | .. code-block:: python                            |
|          | ...  |     @Configuration(type='reporting')              |
|          | ...  |     class SomeCommand(GeneratingCommand)          |
|          | ...  |         ...                                       |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
|          | ...  |                                                   |
+----------+---------------------------------------------------+------+

aljohnson_splun
Splunk Employee
Splunk Employee

There are some great examples in the Python SDK:

https://github.com/splunk/splunk-sdk-python/tree/master/examples/searchcommands_app

alt text

At time of writing:

├── bin
│   ├── splunklib
│   │   └── searchcommands ....... splunklib.searchcommands module
│   ├── countmatches.py .......... CountMatchesCommand implementation
│   ├── generatetext.py .......... GenerateTextCommand implementation
│   ├── pypygeneratetext.py ...... Executes generatetext.py with PyPy
│   ├── simulate.py .............. SimulateCommand implementation
│   ├── sum.py ................... SumCommand implementation
│   └── 
├── default
│   ├── data
│   │   └── ui
│   │       └── nav
│   │           └── default.xml ..
│   ├── app.conf ................. Used by Splunk to maintain app state [1]
│   ├── commands.conf ............ Search command configuration [2]
│   ├── logging.conf ............. Python logging[3] configuration in ConfigParser[4] format
│   └── searchbnf.conf ........... Search assistant configuration [5]
└── metadata
    └── local.meta ............... Permits the search assistant to use searchbnf.conf[6]

gwobben
Communicator

Well, there's nothing wrong with your configuration. I can't look into the Python script or the query so it's really hard to debug. As inspiration you might want to look a what others wrote, e.g.: https://answers.splunk.com/answers/387430/cant-we-use-a-custom-search-command-with-stats-in.html
Hope this helps...

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...