Splunk Search

Custom search script that only produces keys

Communicator

Hi All

I'd like to create a search script that uses a field to do some internal calculations. The output isn't a search results but 10 keys I'd like to use for graphing purposes. Can I specify and empty row with just keys using splunk.Intersplunk.outputResults(results)?

Is there a best practice here?

1 Solution

Super Champion

Yeah, I think so.

If you are asking if it's possible to take the input, look at a certain field for your calculation, then return a completely different set of results based on your calculations (or whatever) then yes, you do that. That's not a problem.

splunk.Intersplunk.outputResults expects a list of dictionaries, so as long as you pass that in then your search command should work. Splunk has no way of know if you are starting with existing event data and augmenting fields, or if you are building a new set of results from scratch--you have the freedom to do whatever you need. That said, you will want to make sure you have your search command setup properly in commands.conf. For example, you should tell splunk that you will not be retaining events, and that you don't want streaming mode (since you will probably want to operate on all results at once, and not a chunk at a time.)

I'm guessing you've been on this page already, but here's a link anyways: Custom search commands Read over the "types of commands" section to give you an idea of what attributes you should setup for you command. (You may want to enable supports_getinfo mode and therfore use the isGetInfo() function if you have any kind of arguments that you script will need. I'm not 100% sure what the pros/cons are of using getinfo.)

BTW. Be sure to check out $SPLUNK_HOME/etc/apps/search/bin/*.py for more examples. There are lots of examples to help you get started.


I'm not sure what you mean by:

Can I specify and empty row with just keys ...

If you want to pass an empty value to splunk, then you can simply set the value to an empty string.

results = []
for my_results in some_list:
    d = {}
    d["some_field"] = my_result
    d["empty_field"] = ""
    ...
    results.append(d)
splunk.Intersplunk.outputResults(results)

In this case "empty_field" would have no value. Because input and output is translated into and out of CSV format there is no way to differentiate between a missing field and an empty field. Also, different rows can have a different set of keys (fields) which is handled automatically by the outputResults() function (as well as multi-valued fields).

View solution in original post

Super Champion

Yeah, I think so.

If you are asking if it's possible to take the input, look at a certain field for your calculation, then return a completely different set of results based on your calculations (or whatever) then yes, you do that. That's not a problem.

splunk.Intersplunk.outputResults expects a list of dictionaries, so as long as you pass that in then your search command should work. Splunk has no way of know if you are starting with existing event data and augmenting fields, or if you are building a new set of results from scratch--you have the freedom to do whatever you need. That said, you will want to make sure you have your search command setup properly in commands.conf. For example, you should tell splunk that you will not be retaining events, and that you don't want streaming mode (since you will probably want to operate on all results at once, and not a chunk at a time.)

I'm guessing you've been on this page already, but here's a link anyways: Custom search commands Read over the "types of commands" section to give you an idea of what attributes you should setup for you command. (You may want to enable supports_getinfo mode and therfore use the isGetInfo() function if you have any kind of arguments that you script will need. I'm not 100% sure what the pros/cons are of using getinfo.)

BTW. Be sure to check out $SPLUNK_HOME/etc/apps/search/bin/*.py for more examples. There are lots of examples to help you get started.


I'm not sure what you mean by:

Can I specify and empty row with just keys ...

If you want to pass an empty value to splunk, then you can simply set the value to an empty string.

results = []
for my_results in some_list:
    d = {}
    d["some_field"] = my_result
    d["empty_field"] = ""
    ...
    results.append(d)
splunk.Intersplunk.outputResults(results)

In this case "empty_field" would have no value. Because input and output is translated into and out of CSV format there is no way to differentiate between a missing field and an empty field. Also, different rows can have a different set of keys (fields) which is handled automatically by the outputResults() function (as well as multi-valued fields).

View solution in original post