Been struggling with this for hours now, when trying to run a custom search command I get:
'import site' failed; use -v for traceback Traceback (most recent call last): File "generatehello.py", line 2, in <module> from splunklib.searchcommands import \ ImportError: No module named splunklib.searchcommands
I tried to make sure I had the Python SDK installed which I thought I did, but upon attempting that I get:
Traceback (most recent call last): File "setup.py", line 17, in <module> from setuptools import setup, Command
So really confused at this point how to set this thing up. I have seem all sorts of stuff about PYTHONPATH and setting that up, but it's been pretty unclear. To run Splunks bundled Python, I have been using the command:
"/apps/splunk/bin/splunk cmd python <pythonfile.py>"
Not sure if that is correct either. Could really use some guidance. Everything has been pretty confusing so far. I have had my $SPLUNK_HOME set to
/apps/splunk as well.
I had gotten it running on 2.6, but unfortunately, the search command contains some method that was not added until 2.7 so I wasn't able to use it.
@joseph_caraccio are you using v1 or v2 of the custom search command API? See description of the options here: About Custom Search Commands. You should use v2.
If you are using the Splunk-bundled interpreter, then you don't have to ship the SDK. If you use a system or other interpreter, you must use a .path file to call it correctly. A shebang won't work. And if going this route, you also must also install the Splunk SDK system-wide or package it in your app's folder like any Python module.
Lastly, "splunk cmd python" is a great troubleshooting tool, but only works if using the embedded Python.
Did you throw the
splunklib folder under the app's
bin dir? Also, did you put the proper
import splunklib.client as client in your file? Lastly, do you have the corresponding config for the new command in place?
This is nearly two years old and the SDK likely has come along way since then. I would recommend starting a new question post and point out the dev.splunk.com instructions you followed and where it failed. That way an answer can be provided that caters to the place you got stuck using the version of the SDK available today. Feel free to cross post the link to the new thread here.
Thread has been started with @sloshburch and our docs team. Hopefully we'll get this cleaned up in short order, but I think this whole dev section is getting a major revamp, so changes may not be pushed out until next major release.