Issue
Splunk custom command will not work unless Splunkd is started by the root user.
If 'getinfo' is the culprit; is it due to rights/perms? and if so what rights do i need to modify on which files/directories to make it work with the splunk user?
Background
Custom command is a python built command to calculate geometric means.
It uses splunklib.searchcommands and imports dispatch, StreamingCommand, Configuration, Option, validators.
paths '/opt/splunk/etc/apps/<appname>/bin/gmeans.py' and '/opt/splunk/etc/apps/<appname>/bin/splunklib/searchcommands/.py*'
Splunk runs as user: splunk. The splunk user:group also has (775) permissions across directories and files to the gmeans.py and splunklib.
gmeans command in Splunk is configured as "Everyone --> read - write" permissions
have run the following command: chown -R splunk:splunk /opt/splunk
Splunk version 6.2.0
Problem
If Splunk is started as sudo root, then gmeans.py works perfectly.
If Splunk is started as splunk, then gmeans fails with getinfo error.
commands.conf
[gmeans]
filename = gmeans.py
supports_getinfo = true
supports_rawargs = true
outputheader = true
btool command gmeans
splunk btool --debug commands list gmeans
/opt/splunk/etc/apps/<appname>/default/commands.conf [gmeans]
/opt/splunk/etc/system/default/commands.conf changes_colorder = true
/opt/splunk/etc/system/default/commands.conf enableheader = true
/opt/splunk/etc/apps/<appname>/default/commands.conf filename = gmeans.py
/opt/splunk/etc/system/default/commands.conf generates_timeorder = false
/opt/splunk/etc/system/default/commands.conf generating = false
/opt/splunk/etc/system/default/commands.conf maxinputs = 50000
/opt/splunk/etc/system/default/commands.conf outputheader = false
/opt/splunk/etc/system/default/commands.conf passauth = false
/opt/splunk/etc/system/default/commands.conf perf_warn_limit = 0
/opt/splunk/etc/system/default/commands.conf required_fields = *
/opt/splunk/etc/system/default/commands.conf requires_preop = false
/opt/splunk/etc/system/default/commands.conf retainsevents = false
/opt/splunk/etc/system/default/commands.conf streaming = false
/opt/splunk/etc/apps/<appname>/default/commands.conf supports_getinfo = true
/opt/splunk/etc/apps/<appname>/default/commands.conf supports_rawargs = true
/opt/splunk/etc/system/default/commands.conf type = python
Update 6-17-2015
I installed a Brand New Splunk instance (6.2.3) installed as splunk user. I followed every piece of online documentation for creating custom streaming commands. The custom command is now in its own app. The splunklib library is located in $SPLUNK_HOME/etc/apps/(app_name)/bin/. The bin directory also holds the python script.
The attribute getinfo will not work. If I set supports_getinfo=0 the command acts like it runs, but will not return results. If I enable supports_getinfo, it returns the error. Debugging the script tells me nothing more than the error on screen.
gmeans.py
#!/usr/bin/env python
import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
# Geometric Mean Calculator
def geomean(nums):
numbers = []
for n in nums:
if not isinstance(n, float):
n = float(n)
numbers.append(n)
else:
numbers.append(n)
product = 1
for n in numbers:
# Prevent 0; numbers[n] should never be a 0.
if n < 0.25:
n = 0.04
product *= n
return round(product ** (1.0 / len(numbers)), 2)
@Configuration()
class gmeansCommand(StreamingCommand):
# Options
fieldname = Option(
doc=''' **Syntax:** **fieldname=***<fieldname>*
**Description:** REQUIRED: Name of the field to hold the calcluted mean for the geometric average''',
require=True, validate=validators.Fieldname())
nums = Option(
doc=''' **Syntax:** **nums=***<fieldname>*
**Description:** REQUIRED: Name of the field that contains the list if numbers to be calculated''',
require=True, validate=validators.Fieldname())
def stream(self, events):
for event in events:
nums = []
for n in event[self.nums].split():
nums.append(float(n))
event[self.fieldname] = geomean(nums)
yield record
dispatch(gmeansCommand, sys.argv, sys.stdin, sys.stdout, __name__)
... View more