Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Send Fields from Search to External Python Script to Update Lookup Table

wweiland
Contributor
‎02-01-2014 09:37 PM

I'm trying to send fields that I gather from a search command and send the results to a external python script. The script will then take those results and update a lookup table. I've gotten the python script working to take 3 arguments and update the csv file. I'm having problems getting the search command to output the information. I thought I was to use the script command, but I guess that is for something else. Has anyone else done this before? Any suggestions?

Thanks in advance.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wweiland
Contributor
‎02-03-2014 01:36 PM

I went ahead and got the savedsearch working. Now I can just do a ... | table blah1 blah2 blah3 | savedsearchcmd

I had to map the command in the local/commands.conf. The python script uses fileinput to find the text and replace it. Runs like a champ. Thanks again everyone.

Tricky part in python was trying to figure out how it delivered the information.

import splunk.Intersplunk

results = []

try:

results = splunk.Intersplunk.readResults(None, None, True)
for i in results:
    node = i.get('nodes')
    jobid = i.get('jobid')
    status = i.get('typeid')

except:

import traceback

stack = traceback.format_exc()

results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

View solution in original post

Reply
Solved! Jump to solution
Solution

wweiland
Contributor
‎02-03-2014 01:36 PM

I went ahead and got the savedsearch working. Now I can just do a ... | table blah1 blah2 blah3 | savedsearchcmd

I had to map the command in the local/commands.conf. The python script uses fileinput to find the text and replace it. Runs like a champ. Thanks again everyone.

Tricky part in python was trying to figure out how it delivered the information.

import splunk.Intersplunk

results = []

try:

results = splunk.Intersplunk.readResults(None, None, True)
for i in results:
    node = i.get('nodes')
    jobid = i.get('jobid')
    status = i.get('typeid')

except:

import traceback

stack = traceback.format_exc()

results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-03-2014 01:38 PM

Feel free to post your command's definition here if you like.

0 Karma
Reply
Solved! Jump to solution

harry2007gsp
Path Finder
‎08-01-2018 09:22 AM

@wweiland, where are you bringing 'Intersplunk' from?
I could not find it either inside splunk sdk or splunklib libraries.

0 Karma
Reply
Solved! Jump to solution

wweiland
Contributor
‎08-01-2018 09:48 AM

I'm not sure if this still works. This was from 2014 and I'm not in that environment anymore.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-02-2014 11:04 AM

You can do that with native Splunk.

Load new data, append+inputlookup the existing lookup table, run stats by node or whatever you need to merge the two, pipe to outputlookup.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-03-2014 01:20 PM

Take a look at the saved searches in the SoS app, they load stuff and store it in a lookup using outputlookup.

0 Karma
Reply
Solved! Jump to solution

wweiland
Contributor
‎02-02-2014 03:41 PM

martin_mueller, do you possibly have any pointers on what you suggested?

0 Karma
Reply
Solved! Jump to solution

wweiland
Contributor
‎02-02-2014 11:29 AM

New approach. I'll see if I can get that working as well. Thanks for your input.

0 Karma
Reply
Solved! Jump to solution

wweiland
Contributor
‎02-02-2014 11:01 AM

I need something that will update lines in the table. I have a list of compute nodes and when jobs start the job id will be assigned to that node. When the job ends the node will be marked idle. The logs wont produce the states of each node at search time. I also thougt about trying to do a mysql connector, but trying to stick to native splunk if possible.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-02-2014 10:43 AM

Have you considered updating the lookup table directly from the search using outputlookup?

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/outputlookup

0 Karma
Reply
Solved! Jump to solution

wweiland
Contributor
‎02-02-2014 10:42 AM

I added it to the commands.conf, but when I do a search | script.py it fails. Do I have to do the outputResults if I don't plan to return anything?

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎02-01-2014 11:23 PM

is the script working from search bar? then you need to add the script in commands.conf. Need to include

splunk.Intersplunk.outputResults(results)

for output.

http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/SearchScripts

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...