Hello,

I'm trying to build a Python custom search command. The command is run after a transaction, and adds values corresponding to events in the transaction based on the business logic.

This is my search:

sourcetype=mysourcetype | transaction User_ID keepevicted=true mvlist=true | where eventcount > 2 | positioning |  table *

This is the script for my positioning command:

#!/usr/bin/env python2.7
import splunk.Intersplunk

def handle_lines(enumerable):
    for i, line in enumerate(enumerable):
            # business logic goes here
            yield new_line

output = []
for line in handle_lines(search_results):
        output.append(line)
splunk.Intersplunk.outputResults(output)

(there's a reason for my seemingly redundant use of the generator pattern here)

Even if handle_lines yields each line without doing anything to it, Splunk seems to lose its awareness of all the multi-value fields. Instead of this:

I get this:

It does work if I change my handle_lines() function to output them as an array:

def handle_lines(enumerable):
    for i, line in enumerate(enumerable):
        new_line = {}
        for attr in line:
            new_line[attr] = line[attr].split(' ')
        # business logic goes here
        yield new_line

The problem here is that some of my fields have spaces, and this causes them to get broken into multi-valued fields as well. This wreaks havoc with what I'm trying to to back in Splunk - I'm assuming that each event has multiple values for each field corresponding to its eventcount.

I'm surprised that I'm having this issue since I'm just using the data exactly as it's provided by splunk.Intersplunk; I assumed the library would handle the multi-value field logic.