Splunk Search

custom command logging error

tombog0
Explorer

I've followed this tutorial:
http://blogs.splunk.com/2014/04/14/building-custom-search-commands-in-python-part-i-a-simple-generat...

Downloaded this respository:
https://github.com/splunk/splunk-sdk-python
and build it using python setup.py install and just followed the instructions on the tutoiral.

When I got to testing the command outside of splunk section of the tutorial, I tried it:
python generatehello.py __EXECUTE count=5

and I got errors that my logging.conf is not valid because I lack of handlers,
and I fixed the conf by the errors, one by one.

Here's my logging.conf:
http://pastebin.com/KwN37JYe

and now I have this error:
http://pastebin.com/HjS9km3L

How do I fix this?
Why do I have all this errors? I've just downloaded it and followed the instructions.
I have windows 10. Splunk 6.5.0 running as localhost on my pc.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I've never done it this way... instead i do this:

import splunk.mining.dcutils as dcu
logger = dcu.getLogger()

logger.info("string to log to index=_internal as Log_Level=info")
logger.warn("string to log to index=_internal as Log_Level=warn")
logger.error("string to log to index=_internal as Log_Level=error")

Not sure if that helps you but thought it was worth the mention. Should be fully compatible with the SDK, etc.

MuS
Legend

Hi tombog0,

what happens if you run the script like this:

  $SPLUNK_HOME/bin/splunk cmd python generatehello.py __EXECUTE count=5

cheers, MuS

tombog0
Explorer

"D:\Program Files\Splunk\bin\splunk.exe" cmd python generatehello.py _EXECUTE count=5
Do you mean like that?

It opens a cmd and closes it right away, I can't see what is written on it.

I've also tried to run it from splunk
| generatehello count=5
and got this error:
External search command 'generatehello' returned error code 1.

0 Karma

MuS
Legend

Open a CMD and cd into "D:\Program Files\Splunk\bin". Run the command like this:

splunk.exe cmd python generatehello.py __EXECUTE count=5

lquinn
Contributor

You need to open command prompt in administrator mode in order to see the output. Thats why the window pops up and disappears again.

tombog0
Explorer

I'm not able to run it from Splunk UI.
I dont think my app is scope global. How do I check?
Anyway it doesnt even work on its own scope.

0 Karma

tombog0
Explorer

generatehello.py was originally positioned at one of my apps btw.
I copied it to the splunk/bin.

After running it on splunk as administrator as you said,
I get this errors:
Traceback (most recent call last):
File "generatehello.py", line 4, in
from splunklib.searchcommands import \
ImportError: No module named splunklib.searchcommands

I found this guy had the same problem:
https://answers.splunk.com/answers/243498/getinfo-probe-failed-for-external-search-command-a.html
He said that he just downloaded a newer splunk-sdk-python and it fixed it, but I already have the newest from their master git, so it's not my case.

Any ideas?

Thanks for your help 🙂

0 Karma

lquinn
Contributor

Can you find the splunklib directory on your system?

tombog0
Explorer

Yes. found it, I've wrote pip install splunk-sdk and it wrote that it's already up to date and wrote where it is.

It's here:
C:\python27\lib\site-packages\splunk_sdk-1.6.0-py2.7.egg\splunklib

0 Karma

lquinn
Contributor

This might be the wrong way to do it ... but I think I've had to make a copy of the splunklib directory before and paste it into the bin directory of the app that I'm running my search command from. I think this happened to me a while ago and this was my quick fix!

tombog0
Explorer

Now it complains about my "default/commands.conf"
that does not exist.
I guess it's because I've copied generatehello.py to the bin without its config.
Is there a way to run it on my app?
I've tried
splunk.exe cmd python "D:\ProgramFiles\Splunk\etc\apps\generatehello_app\bin\generatehello.py" __EXECUTE count=5
and got the same error I got on the beggining of the thread of the logging.

0 Karma

lquinn
Contributor

Are you able to run it from Splunk UI? With the splunklib directory and generatehello.py in you app/bin directory. Is your app scope global?

tombog0
Explorer

I'm not able to run it from Splunk UI.
I dont think my app is scope global. How do I check?
Anyway it doesnt even work on its own scope.

0 Karma

tombog0
Explorer

I'm not able to run it from the splunk ui.
I don't think my app is global scope.
How do I check it?
Anyway, it doesn't even work on it own scope.

0 Karma

tombog0
Explorer

I'm not able to run it from the splunk ui.
I don't think my app is global scope.
How do I check it?
Anyway, it doesn't even work on its own scope.

0 Karma

tombog0
Explorer

I'm not able to run it from splunk UI with the splunklib in app/bin.
I don't think it's scope global, how do I check?
Anyway it also doesn't work on the app scope itself.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...