Activity Feed
- Got Karma for Custom search command executed multiple times with protocol v2. 05-14-2021 09:45 AM
- Got Karma for Custom search command executed multiple times with protocol v2. 06-05-2020 12:50 AM
- Got Karma for Custom search command executed multiple times with protocol v2. 06-05-2020 12:50 AM
- Got Karma for Custom search command executed multiple times with protocol v2. 06-05-2020 12:50 AM
- Karma How to stop custom search command from calling multiple times? for arkadyz1. 06-05-2020 12:49 AM
- Karma How do I get the sessionKey from a Splunk app's serverside python code? for robertlight. 06-05-2020 12:47 AM
- Karma Not able to use oneshot method to execute splunk query to fetch data from inputlookup for shreyans. 06-05-2020 12:47 AM
- Karma Re: Not able to use oneshot method to execute splunk query to fetch data from inputlookup for jkat54. 06-05-2020 12:47 AM
- Karma After adding logging statements into Python script and running it via Splunk CLI, why are there no log messages in python.log? for ConnorG. 06-05-2020 12:47 AM
- Got Karma for Re: Not able to use oneshot method to execute splunk query to fetch data from inputlookup. 06-05-2020 12:47 AM
- Got Karma for Re: Not able to use oneshot method to execute splunk query to fetch data from inputlookup. 06-05-2020 12:47 AM
- Karma Re: "Events may not be returned in sub-second order due to search memory limits configured in limits.conf:[search]:max_rawsize_perchunk." error after upgrade to Splunk 6.0.1 for sideview. 06-05-2020 12:46 AM
- Karma Re: Python SDK - results.ResultsReader extremely slow for richardhull_bjs. 06-05-2020 12:46 AM
- Posted Custom search command executed multiple times with protocol v2 on Splunk Dev. 10-26-2018 07:09 AM
- Tagged Custom search command executed multiple times with protocol v2 on Splunk Dev. 10-26-2018 07:09 AM
- Tagged Custom search command executed multiple times with protocol v2 on Splunk Dev. 10-26-2018 07:09 AM
- Tagged Custom search command executed multiple times with protocol v2 on Splunk Dev. 10-26-2018 07:09 AM
- Posted Re: How to import Python module from subdirectory in appserver/controllers? on Splunk Dev. 04-18-2017 02:02 AM
- Posted Re: How to import Python module from subdirectory in appserver/controllers? on Splunk Dev. 04-18-2017 12:46 AM
- Posted Re: Not able to use oneshot method to execute splunk query to fetch data from inputlookup on Splunk Dev. 12-21-2016 07:22 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
4 | |||
0 | |||
0 | |||
0 |
10-26-2018
07:09 AM
4 Karma
Hi, I thought my custom search command was working fine, until I added some logs. The logs showed me that for a single call to the command, the code was run multiple (3-4) times. My command is built using protocol version 2.
I'm aware of this question, but the answer looks like a hack.
Checkout the logs below. Does everything look fine to you? How can I fix it?
Example:
import logging
from splunklib.searchcommands import dispatch, EventingCommand, Configuration
logger = setup_logger(logging.DEBUG)
logger.info("start log")
@Configuration()
class OutputFTP(EventingCommand):
def transform(self, records):
logger.info('inside transform')
for record in records:
yield record
logger.info("before dispatch")
dispatch(OutputFTP, sys.argv, sys.stdin, sys.stdout, __name__)
logger.info("after dispatch")
Result logs:
2018-10-26 15:49:34,196 INFO start log
2018-10-26 15:49:34,196 INFO before dispatch
2018-10-26 15:49:34,197 INFO inside transform
2018-10-26 15:49:34,198 INFO after dispatch
2018-10-26 15:49:34,262 INFO start log
2018-10-26 15:49:34,263 INFO before dispatch
2018-10-26 15:49:34,264 INFO inside transform
2018-10-26 15:49:34,265 INFO after dispatch
2018-10-26 15:49:34,358 INFO start log
2018-10-26 15:49:34,359 INFO before dispatch
2018-10-26 15:49:34,360 INFO inside transform
2018-10-26 15:49:34,425 INFO start log
2018-10-26 15:49:34,425 INFO before dispatch
2018-10-26 15:49:34,426 INFO inside transform
2018-10-26 15:49:34,429 INFO after dispatch
commands.conf
[my_command]
filename = my_command.py
chunked = true
run_in_preview = false
... View more
Labels
- Labels:
-
python
04-18-2017
02:02 AM
This works, indeed. Thank you for your answer.
... View more
04-18-2017
12:46 AM
I still haven't found a solution to my problem which was: keeping the code inside the app structure.
If you don't have this requirement, have you tried putting your ready made class inside a module and inside the following folder?
$SPLUNK_HOME/lib/python2.7/site-packages
... View more
12-21-2016
07:22 AM
Hmm, I believe it wasn't me on slack. But still, thanks for your help with this!
... View more
12-21-2016
01:24 AM
2 Karma
Hi, I had the same problem as OP and @jkat54's answer helped me a lot.
My lookup was defined for a specific app and I wasn't specifying the app when connecting to splunklib.client .
Therefore, in the following code: job1 returns no results and job2 returns what I expected.
service1 = splunklib.client.connect(username="grinch", password="who")
job1 = service1.jobs.oneshot("| inputlookup whoville_addresses")
service2 = splunklib.client.connect(username="grinch", password="who", app="steal_xmas")
job2 = service2.jobs.oneshot("| inputlookup whoville_addresses")
... View more
12-20-2016
01:13 AM
Sorry about the delay and thanks for the detailed example.
I believe your example shows the implementation of a rest handler defined in restmap.conf .
I am using a python controller/endpoint defined in web.conf and appserver/controllers .
Therefore, my main class is not splunk.admin.MConfigHandler but splunk.appserver.mrsparkle.controllers.BaseController .
I feel like I haven't provided enough information on my general goal.
The background to this question is in this other question.
Since that unanswered question, I decided to authenticate and authorize users myself:
1. I have created an auth/login custom controller that takes (admin, password) and returns a sessionKey. (using splunklib.client module)
2. All my other web services take the sessionKey as a parameter and check if it is valid to authorize the request.
3. I find it ugly to pass the sessionKey as a param and I would like to pass it in an header that looks appropriate.
... View more
12-15-2016
12:48 AM
Hi, thanks for your comment. Can you tell me more about "authenticating against Splunk programmatically" and "passing a header through to custom Splunk commands"?
Do you mean by using username and password through the management port on endpoint 'auth/login'?
... View more
12-14-2016
09:58 AM
Hi,
This is another question about custom python controllers and endpoints.
I have programmed a custom endpoint available at: http://localhost:8080/en-US/custom/my_app/my_script/test
I make an ajax request from a browser inserting an Authorization header.
I am trying to read the value of this header in my python controller, but it doesn't appear.
I have tried using cherrypy headers, but although I get plenty of HTTP headers, I can't see the one I want: Authorization .
Any hints on why I get some headers but not that one?
I have my endpoint script in appserver/controllers:
#my_script.py
import splunk.appserver.mrsparkle.controllers as controllers
from splunk.appserver.mrsparkle.lib.decorators import expose_page
import cherrypy
class Controller(controllers.BaseController):
@expose_page(must_login=False, methods=['GET'])
def test(self, **kwargs) :
return cherrypy.request.headers.output()
This is my ajax request:
$.ajax({
type: "GET",
crossDomain:true,
url: "http://localhost:8080/en-US/custom/my_app/my_script/test",
headers: {
"Authorization" : "whatever"
},
success: function (response){
console.log(response);
}
});
This is what I get as a response:
[('Te', 'chunked'),
('Accept-Encoding', 'gzip'),
('Host', 'localhost:8080'),
('Accept', '*/*'),
('X-Splunkd', 'Z/sOmesTrINg/A=='),
('Remote-Addr', '127.0.0.1'),
('Referer', 'https://server-of-origin/page.html'),
('Accept-Language', 'en-US,en;q=0.8'),
('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36'),
('Origin', 'https://server-of-origin')]
What I am expecting is to see another tuple like: ('Authorization','whatever')
... View more
12-06-2016
07:31 AM
Hi, thank you for your answer.
My controllers already work fine with :
- [endpoint:my_script] in web.conf
- my_script.py as a file name in controllers
- class random_name(controllers.BaseController): in my_script.py
In this Splunk Wiki page, someone shows an example where the class name doesn't match the file name. https://wiki.splunk.com/Community:40GUIDevelopment
What I am trying to achieve is moving some code from controllers to subdirectories.
... View more
12-06-2016
05:13 AM
I fixed this by specifying the HTTP POST method in the decorators.
@expose_page(must_login=False, methods=['POST'])
If you don't, the method defaults to GET and doesn't read parameters from the body.
Also don't forget to specify a locale like en-US in the URL or else you will be slapped by a 405 Method Not Allowed error.
... View more
12-06-2016
04:01 AM
Dear Splunk,
I have quite a few custom endpoints in my web.conf file.
This leads to many Python scripts in my appserver/controllers directory and many helper scripts for functions used by several endpoints.
I would like to tidy up this directory by putting some of the scripts in local packages or subdirectories.
As an example, here's my file structure:
appserver
--->controllers
------->my_script.py
------->mylib
---------->mymod.py
My code:
#mymod.py
def scream():
return 'YEAH!'
#my_script.py
import splunk.appserver.mrsparkle.controllers as controllers
from splunk.appserver.mrsparkle.lib.decorators import expose_page
import mylib.mymod as mm
class Controller(controllers.BaseController):
@expose_page(must_login=False, methods=['GET'])
def scream(self, **kwargs) :
return mm.scream()
Now, if I add a empty __init__.py file to /mylib , mylib behaves like a package, and if I test the script locally with splunk's python interpreter in CLI: splunk cmd python my_script.py , I am able to import to import my module and use the scream() function from my_script.py.
However, the import doesn't work one I try to run the script through the web service: http://localhost:8000/en-US/custom/my_app/my_script/scream throws a 404 Error.
What's the Splunk-approved way of organizing code in my controllers directory ?
... View more
11-10-2016
06:34 AM
Dear Splunk genie,
I have configured a custom REST endpoint with a Python script.
When I call my endpoint with fields in the query string I am able to read them in my Python script.
However, if I try to use the POST method with data in the request body, I can't access this data in my Python script.
What is the correct way to POST data to a custom endpoint and handle it in a python script ?
This is my code so far :
Below : my_app/local/web.conf (Holds a stanza with the name of my endpoint)
[endpoint:my_script]
Below : my_app/appserver/controllers/my_script.py (Holds my script, with name matching the endpoint)
import splunk.appserver.mrsparkle.controllers as controllers
from splunk.appserver.mrsparkle.lib.decorators import expose_page
class Controller(controllers.BaseController):
@expose_page(must_login=False)
def my_function(self, **kwargs) :
arg1 = kwargs.get('arg1', 'default_val_arg1')
arg2 = kwargs.get('arg2', 'default_val_arg2')
return arg1 + arg2
Now using a REST client.
GET on the following url returns "onetwo", which is good.
http://localhost:8000/en-US/custom/my_app/my_script/my_function?arg1=one&arg2=two
POST on the following url returns "default_val_arg1default_val_arg2"
With Content-type : application/x-www-form-urlencoded
And Body : arg1=one&arg2=two
http://localhost:8000/en-US/custom/my_app/my_script/my_function
... View more