Splunk Search

custom command help

rakesh_498115
Motivator

Hi ..

In my Splunk results say i get a lot of numerical values for a field say "A" . Now i want avg of the top 95 values of the field A . so i have defined a funciton in python like this..

// test.py

def myfunction(r):
AvgBest95 = sum(r[0:95])/95

return AvgBest95

and i have given the command name in commands.conf

[test]
filename = test.py

in authorize.conf also i have defined the stanga as

capability::run_script_test]

[role_admin]
run_script_test= enabled

So Now when i run the command in the search . it is not showing any values...

i have used my search like this ..

sourcetype="mydata" | table A | test myfunciton(A)

Please help ..if i am missing anything ...

Tags (1)
0 Karma

rakesh_498115
Motivator

Yeah Ayn...we are paid Partners for Splunk .we often get in touch with them..and they have suggested the first place to go always is splunkbase so posted this question...i want to start with my own custom commands...thanks for your link...going through it..Hopefully will be able to do some custom commands ..

0 Karma

dwaddle
SplunkTrust
SplunkTrust

If I may plug my own app, http://splunk-base.splunk.com/apps/35644/base64-custom-command, it demonstrates just about the "most minimally viable" custom command. There is a lot of stuff there that is absolutely necessary boilerplate. It is boilerplate you need to understand to connect what you want your custom command "to do" to Splunk's custom command input and output plumbing.

Basically, custom commands need to read events on stdin, do the needful, then write the new results to stdout. And you will need to take into account that in certain situations your custom command may be called more than once by Splunk and may "see" the same event more than once.

All of that said, why did you not simply do a

| head 95 | stats avg(A) as avg_first_95_A

it's not like the search language does not have these constructs built in already...

rakesh_498115
Motivator

Hi dwaddle,alcercogitatus ..i knew we can do the way u suggested..i wanted to get a pratice of custom commands so i have raised this question...

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

|top A limit=95 | stats avg(A) I think is more inline with what he wants :D. http://www.keepcalmandposters.com/posters/54856.png

Ayn
Legend

(I thought you were getting personal help from Splunk's partner team?)

Ayn
Legend

You should read up on the basics before you dive into this. I honestly don't know where to start - for one, you can't call individual functions in custom commands like you're trying to do. Then there's the issue of that custom commands need to use Splunk packages for receiving and outputting data. You need to read this, among other things. http://docs.splunk.com/Documentation/Splunk/5.0.2/AdvancedDev/SearchScripts

rakesh_498115
Motivator

yeah..the code snippnet is there in Python file...i am not getting how can i pass this value of my field A to my function in the python file....

0 Karma

Ayn
Legend

Is that code snippet all there is in your Python file?? In that case you have MUCH reading to do on how to create a custom command.

Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...