Splunk Search

How to get custom search command to run local on search head

scottsavareseat
Path Finder

I'm trying to use the python sdk to build a custom search command. In my commands.conf, I have "chunked = true" set. I should therefore be using version 2 of the search command language. In my python script, I have the following lines:

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration
@Configuration(distributed=False,type='streaming')    

When I remove the type variable from the configuration decoration, the command tries to execute on all my indexers. However, I want it to run local on the search head for now so I can test it and fix issues without having to deploy it all over the place. When I add the type variable, I get the following error messages. There is a valueerror saying that I can't set the type variable. Is there a way around this problem?

01-29-2020 20:07:03.600 INFO  ChunkedExternProcessor - Running process: /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/myapp/bin/myapp.py
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/myapp/bin/myapp.py", line 9, in <module>
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:     class myappCommand(StreamingCommand):
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/myapp/bin/lib/splunklib/searchcommands/decorators.py", line 84, in __call__
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:     ConfigurationSetting.fix_up(o.ConfigurationSettings, self.settings)
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/myapp/bin/lib/splunklib/searchcommands/decorators.py", line 193, in fix_up
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:     raise ValueError('The value of configuration setting {} is fixed'.format(name))
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr: ValueError: The value of configuration setting type is fixed
01-29-2020 20:07:03.720 ERROR ChunkedExternProcessor - EOF while attempting to read transport header
01-29-2020 20:07:03.721 ERROR ChunkedExternProcessor - Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.721 ERROR SearchPhaseGenerator - Fallback to two phase search failed:Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.722 ERROR SearchOrchestrator - Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.722 ERROR SearchStatusEnforcer - sid:1580328423.9 Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.722 INFO  SearchStatusEnforcer - State changed to FAILED due to: Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.

onthebay
Path Finder

Github shows this fix for distributed flag not working properly:

https://github.com/splunk/splunk-sdk-python/pull/182/files

The fix seems to be in the current splunklib.   Still not sure how to properly use the distributed flag since I cannot set type=streaming to force splunklib to respect distributed=true/false

0 Karma

Lucas_K
Motivator

If its just for testing that you can try and put "| localop " prior to the command you want to run specifically on the search head.

Tags (1)
0 Karma

scottsavareseat
Path Finder

While not a solution, I've gotten around the problem by putting a sort command in front of my command. The sort can only run on the search head which forces my command to the search head as well.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...