Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

External lookup Python Script: How to send a custom error message to Splunk SH UI

prabhan
New Member
‎04-25-2020 10:07 PM

Hi Splunkers,

My external lookup working just fine and the results are proper.

As mentioned in the below screenshot my_test_lookup.py is available in my /etc/apps/[my_app]/bin/my_test_lookup.py.

I don't have any issue with the external lookup with python script.

alt text

Is there any way to send a custom message from python script to splunk GUI whenever the search event matches the custom limit number(1000).

This limit is not from the splunk configs. this limit has been provided in my external lookup python script. 

r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()

event_count = 0
search_limit = 1000
for result in r:
    if result[group_field]:
        result[field1] = "test1"
        result[field2] = "testfiedl2"
        w.writerow(result)
        event_count += 1
        if event_count == search_limit:
            reach_limit_msg = "Reached Limit %d" % event_count
            send_message(reach_limit_msg)
            print("Reached Limit %d" % event_count)
            logger.warning("Reached Limit %d" % event_count)
            sys.exit(0)

It may be a kind of popup saying your search limit 1000 exceeded or something like below mentioned screenshot.
alt text

FYI: I have already tried bulletin message by referencing this url . It worked like charm, but it sends a bulletin message to all the users who logged in, but i would like to send a message to only the person who fired the SPL query.

Please help, Thanks in advance _/_.

capture.png
Preview file
87 KB
capture1.png
Preview file
15 KB
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎04-26-2020 03:41 AM

If you switch to a newer version of the search commands it seems pretty easy. See the "doc" sections of the commands here:

https://github.com/splunk/splunk-sdk-python/tree/master/examples/searchcommands_app/package/bin/

0 Karma
Reply

prabhan
New Member
‎04-26-2020 05:31 AM

@jkat54 Thank you so much for your response, much appreciated!

I'm using Splunk 7+, Can you please bit elaborate how can i make use of the search commands doc.

If possible any examples please!

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎04-26-2020 06:21 AM

Did you look at the link I provided? There were plenty of examples.

0 Karma
Reply

prabhan
New Member
‎04-26-2020 06:56 AM

@jkat54 Yes, I have checked that. So as per my understanding we can create a custom search command for my use case. but i already started working with the External Lookup. Now there is no option to change it from external lookup to custom search command.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎04-26-2020 03:20 PM

Oh right I missed that. The SPL command might be easier but if you want to try the scripted lookup you should check out intersplunk.

https://python.hotexamples.com/examples/splunk/Intersplunk/-/python-intersplunk-class-examples.html

0 Karma
Reply

prabhan
New Member
‎04-27-2020 09:17 AM

@jkat54 Scripted lookup not rely on intersplunk,
Here is my findings- Python search commands rely on Intersplunk.py to grab events from the search pipeline and pass the modified events back. The arguments passed to your script
in sys.argv are the same arguments you use when searching with the command.

So we need to identify some other way to display a custom message to the Splunk SH.

I just wanted to print the error in the Splunk search head. whenever it cross the limit.

As per my research its not possible i guess. please let me know if you have any other idea?? pls..

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎04-27-2020 04:28 PM

I mean it couldn't hurt to try...

except Exception, e:
    import traceback

    stack = traceback.format_exc()
    splunk.Intersplunk.generateErrorResults(str(e))
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
li.common.scroll-to.top