Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do force a search to finish before invoking a custom search command?

Marinus
Communicator
‎08-30-2010 10:03 AM

I'm building a custom search command that performs some visualizations on a dataset outside of Splunk. It has to parse all the search results so it doesn't like chucks of data coming in.

I've set the config to disable streaming, my expectation is that the search will finish and the results will be passed on to my search command. It appears that each chuck of data is executing my search command over and over. Is this a bug? My test rig is running the latest version on Ubuntu 64bit.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-30-2010 02:11 PM

All you should have to do is disable streaming for your search command in commands.conf:

 [yoursearchcommand]
 streaming = false

This should force that your search command gets invoked only once and with your entire dataset. However you may run into new event limits with this approach.

Just to be clear, you will have to restart splunkd for this change to take effect.

If you've already tried this and are still not getting the results you are looking for, please update your question to include some additional details, such as: your full command.conf entry, a skeleton of your code (you can leave out the body if you want). Specifically, are you using the enableheader feature, and if so are you sure that the first argument to splunk.Intersplunk.outputInfo is False?

View solution in original post

Reply
Solved! Jump to solution

Marinus
Communicator
‎08-31-2010 07:41 AM

filed! I still think it would be useful if you could via intersplunk detect that you have received the last chunk of event. There must be a simple way to determine it?

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-31-2010 06:31 AM

And please be aware that with streaming off (and working as intended), you should only be called once, but only with the first 50,000 results, though this can apparently be changed in commands.conf with the maxinputs parameter. I don't know if there aren't other limits from limits.conf that might affect this as well though.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-31-2010 06:26 AM

File it as a bug, I mean.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-31-2010 06:26 AM

I suspect that there exists a bug such that custom searches are kicked of for every batch of 50,000 events, even if streaming is set off. I suspect that the data is fetched by Splunk, and even passed to the search command, but that the output is simply discarded. Or perhaps the data is fetched, but the search command is invoked without the data input. Would you please file this?

Reply
Solved! Jump to solution

Marinus
Communicator
‎08-30-2010 05:33 PM

Thanks for the reply, my search command processes all the rows and produces a file that graphviz parses. It should work like the csv writer in a sense. I can see it's being run more than once since I see multiple temp files being generated by each chunk.

[viz]
streaming = false
filename = viz.py
disabled = 0

Another strategy could be to append and if I could tell that I'm on the last chunk I could invoke my external program.

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-30-2010 02:11 PM

All you should have to do is disable streaming for your search command in commands.conf:

 [yoursearchcommand]
 streaming = false

This should force that your search command gets invoked only once and with your entire dataset. However you may run into new event limits with this approach.

Just to be clear, you will have to restart splunkd for this change to take effect.

If you've already tried this and are still not getting the results you are looking for, please update your question to include some additional details, such as: your full command.conf entry, a skeleton of your code (you can leave out the body if you want). Specifically, are you using the enableheader feature, and if so are you sure that the first argument to splunk.Intersplunk.outputInfo is False?

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...