Splunk Search

Help with custom search command (wait) needed

damucka
Builder

Hello,

I need to apply 60 sec delay between two SPL commands, which start and collect the DB trace per dbxquery.
In between, there should be 60 sec time. As I did not find anything corresponding, I wrote the simplest possible .py script:

import time
time.sleep(60)

and call it like | sleep60. It waits 60 sec, but then throws an error:

08-09-2019 15:05:56.331 INFO  UserManager - Unwound user context: d038423 -> NULL
08-09-2019 15:05:56.332 INFO  PipelineComponent - Process delayed by 59.062 seconds, perhaps system was suspended?
08-09-2019 15:05:56.332 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'sleep60' command: External search command exited unexpectedly.

Now I am thinking that the .py will not be as easy as that perhaps. Of course I expect that all the variables from before the command execution will still be visible, etc.
Any idea why I get this error and how a simple delay script should look like?

Kind Regards,
Kamil

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @damucka,

You're always doing cool stuff!

Try making the .py append a column to the results saying "60 seconds ok" That would make your debugging way easier.

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi @damucka,

You're always doing cool stuff!

Try making the .py append a column to the results saying "60 seconds ok" That would make your debugging way easier.

0 Karma

damucka
Builder

Hi David,

If you mean that in my python code I should do sth to append the result, then I am afraid I would ask for help with this. I mean I can start googling, but you would know for sure how this should go. You can see on the above example of my .py how simple it is and if I now have to import pip splunk-sdk, use the input / output classes to produce the result in python ... I am not sure if I want to begin with this unless it is absolutely necessary.
Or you would just tell me how the code should look like :-).
Unless you mean the appendcols in SPL, from where my sleep60 is called, but this I would not know how it should help here either.
Sorry for my ignorance.

Regards,
Kamil

0 Karma

DavidHourani
Super Champion

Hey Kamil,

Have a look here :
https://docs.splunk.com/Documentation/Splunk/7.3.1/Search/Customsearchcommandshape
It's a good example that shows you how a custom command takes and input and applies a logic to it.

In your case your logic should be :
1-Data goes in.
2-Wait 60 seconds.
3-output the same data (+ comment to indicate wait is complete--- optional).
In your case above in the question your output gives nothing, hence the error.

0 Karma

damucka
Builder

Hello David,

sorry, it took a while because we had some issues with our python 2.7 installation, where we were not able to get the splunk-sdk running so we had to workaround it pointing to the python 3.5.
The code for waiting command is quite simple, googled and assembled from Splunk examples :-).
Please see below.

Kind Regards,
Kamil

import sys
sys.path.append("/usr/local/lib/python3.5/site-packages/splunk_sdk-1.6.6-py2.7.egg")
import time
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration

@Configuration()
class MyCommand(StreamingCommand):
        def stream(self,records):
                time.sleep(60)
                for record in records:
                        yield record

if __name__ == "__main__":
        dispatch(MyCommand, sys.argv, sys.stdin, sys.stdout, __name__)

DavidHourani
Super Champion

Awesome ! Great work Kamil 😉

0 Karma

DavidHourani
Super Champion

PS: Please accept the answer to close this post.

0 Karma

DavidHourani
Super Champion

Any updates Kamil ?

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...