Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to set new fields in a custom search streaming command?

j8lp
Explorer
‎02-25-2016 12:03 PM

I'm writing a custom search command to convert all the full path xml names to just local names. I'm also making the field names all lower case for consistency. My code is below:

    def stream(self, records):
        for record in records:
            for fieldname in record.keys():
                if "." in fieldname and len(record[fieldname]) > 0:
                         newname = fieldname.lower().split('.')[-1]
                         record[newname] = record[fieldname]
                         record[fieldname] = None
            yield record

However, setting record[newname] only seems to work half the time. So when I run the search, I don't see all of the newname fields appearing in the events list. Am I doing something wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

j8lp
Explorer
‎02-26-2016 11:30 AM

Figured it out. Looks like Splunk only writes the fields that are set in the first record. So removing the len(record[fieldname]) > 0 fixed the issue:

 def stream(self, records):
     for record in records:
         for fieldname in record.keys():
             if "." in fieldname:
                      newname = fieldname.lower().split('.')[-1]
                      record[newname] = record[fieldname]
                      record[fieldname] = None
         yield record

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

j8lp
Explorer
‎02-26-2016 11:30 AM

Figured it out. Looks like Splunk only writes the fields that are set in the first record. So removing the len(record[fieldname]) > 0 fixed the issue:

 def stream(self, records):
     for record in records:
         for fieldname in record.keys():
             if "." in fieldname:
                      newname = fieldname.lower().split('.')[-1]
                      record[newname] = record[fieldname]
                      record[fieldname] = None
         yield record
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top