Splunk Search

How to get custom search command to run local on search head

scottsavareseat
Path Finder

I'm trying to use the python sdk to build a custom search command. In my commands.conf, I have "chunked = true" set. I should therefore be using version 2 of the search command language. In my python script, I have the following lines:

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration
@Configuration(distributed=False,type='streaming')    

When I remove the type variable from the configuration decoration, the command tries to execute on all my indexers. However, I want it to run local on the search head for now so I can test it and fix issues without having to deploy it all over the place. When I add the type variable, I get the following error messages. There is a valueerror saying that I can't set the type variable. Is there a way around this problem?

01-29-2020 20:07:03.600 INFO  ChunkedExternProcessor - Running process: /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/myapp/bin/myapp.py
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/myapp/bin/myapp.py", line 9, in <module>
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:     class myappCommand(StreamingCommand):
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/myapp/bin/lib/splunklib/searchcommands/decorators.py", line 84, in __call__
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:     ConfigurationSetting.fix_up(o.ConfigurationSettings, self.settings)
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/myapp/bin/lib/splunklib/searchcommands/decorators.py", line 193, in fix_up
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:     raise ValueError('The value of configuration setting {} is fixed'.format(name))
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr: ValueError: The value of configuration setting type is fixed
01-29-2020 20:07:03.720 ERROR ChunkedExternProcessor - EOF while attempting to read transport header
01-29-2020 20:07:03.721 ERROR ChunkedExternProcessor - Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.721 ERROR SearchPhaseGenerator - Fallback to two phase search failed:Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.722 ERROR SearchOrchestrator - Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.722 ERROR SearchStatusEnforcer - sid:1580328423.9 Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.722 INFO  SearchStatusEnforcer - State changed to FAILED due to: Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.

onthebay
Path Finder

Github shows this fix for distributed flag not working properly:

https://github.com/splunk/splunk-sdk-python/pull/182/files

The fix seems to be in the current splunklib.   Still not sure how to properly use the distributed flag since I cannot set type=streaming to force splunklib to respect distributed=true/false

0 Karma

Lucas_K
Motivator

If its just for testing that you can try and put "| localop " prior to the command you want to run specifically on the search head.

Tags (1)
0 Karma

scottsavareseat
Path Finder

While not a solution, I've gotten around the problem by putting a sort command in front of my command. The sort can only run on the search head which forces my command to the search head as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...