In my Splunk results say i get a lot of numerical values for a field say "A" . Now i want avg of the top 95 values of the field A . so i have defined a funciton in python like this..
AvgBest95 = sum(r[0:95])/95
and i have given the command name in commands.conf
filename = test.py
in authorize.conf also i have defined the stanga as
So Now when i run the command in the search . it is not showing any values...
i have used my search like this ..
sourcetype="mydata" | table A | test myfunciton(A)
Please help ..if i am missing anything ...
Yeah Ayn...we are paid Partners for Splunk .we often get in touch with them..and they have suggested the first place to go always is splunkbase so posted this question...i want to start with my own custom commands...thanks for your link...going through it..Hopefully will be able to do some custom commands ..
If I may plug my own app, http://splunk-base.splunk.com/apps/35644/base64-custom-command, it demonstrates just about the "most minimally viable" custom command. There is a lot of stuff there that is absolutely necessary boilerplate. It is boilerplate you need to understand to connect what you want your custom command "to do" to Splunk's custom command input and output plumbing.
Basically, custom commands need to read events on stdin, do the needful, then write the new results to stdout. And you will need to take into account that in certain situations your custom command may be called more than once by Splunk and may "see" the same event more than once.
All of that said, why did you not simply do a
| head 95 | stats avg(A) as avg_first_95_A
it's not like the search language does not have these constructs built in already...
Hi dwaddle,alcercogitatus ..i knew we can do the way u suggested..i wanted to get a pratice of custom commands so i have raised this question...
|top A limit=95 | stats avg(A) I think is more inline with what he wants :D.
(I thought you were getting personal help from Splunk's partner team?)
You should read up on the basics before you dive into this. I honestly don't know where to start - for one, you can't call individual functions in custom commands like you're trying to do. Then there's the issue of that custom commands need to use Splunk packages for receiving and outputting data. You need to read this, among other things. http://docs.splunk.com/Documentation/Splunk/5.0.2/AdvancedDev/SearchScripts
yeah..the code snippnet is there in Python file...i am not getting how can i pass this value of my field A to my function in the python file....
Is that code snippet all there is in your Python file?? In that case you have MUCH reading to do on how to create a custom command.