×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bpna
Explorer
Member since: ‎04-28-2021
‎08-02-2022
Community Statistics
Posts 6
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎04-28-2021
View All

Re: External python search - Error "Failed to pars...

by in Splunk Search
‎08-02-2022 09:02 AM
‎08-02-2022 09:02 AM
That's interesting, thanks for the info. Helpful to know it's an issue with Splunk's usage of python internally. I was able to solve it by editing commands.conf to the following: [list_entities] filename = list_entities.py enableheader = true outputheader = true requires_srinfo = true supports_getinfo = true supports_multivalues = true supports_rawargs = true python.version = python3   ... View more

Re: External python search - Error "Failed to pars...

by in Splunk Search
‎03-10-2022 05:13 PM
2 Karma
‎03-10-2022 05:13 PM
2 Karma
I solved it! The solution reflects SO poorly on Splunk. I ran my command with "--debug" and got this output: Command list_entities appears to be statically configured for search command protocol version 1 and static configuration is unsupported by splunklib.searchcommands. Please ensure that default/commands.conf contains this stanza: [generatetext] filename = generatetext.py enableheader = true outputheader = true requires_srinfo = true supports_getinfo = true If you add those settings to your commands.conf it should work Splunk's OWN DOCS AND EXAMPLES IN MULTIPLE PLACES say "chunked = true" specifies search command protocol version 2 Like here https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/createcustomsearchcmd#Register-your-custom-search-command And here https://docs.splunk.com/Documentation/ITSI/4.12.0/Configure/commands.conf And here https://github.com/splunk/splunk-sdk-python/blob/master/examples/searchcommands_app/package/default/commands.conf Wow.   ... View more

Re: External python search - Error "Failed to pars...

by in Splunk Search
‎03-10-2022 04:15 PM
‎03-10-2022 04:15 PM
I'm having the same issue. Actually after pulling my hair out over it, copied the generatetext command example from Splunk SDK for Python GitHub repo into my instance https://github.com/splunk/splunk-sdk-python/blob/master/examples/searchcommands_app/package/bin/generatetext.py Copied default/commands.conf. Setup splunklib directory. Splunk v8.2.2, should play nicely with python3 Still failing with this error. Did you ever solve it? ... View more

Re: Using like() not working in where statement

by in Splunk Search
‎04-28-2021 02:29 PM
‎04-28-2021 02:29 PM
I was able to solve this by putting the condition in the first line of the search, like this: index=alerts data.rule.name="Target Trends, Trending Targets in Watch List" It still bugs me that | where like() isn't working the way I'd expect it to, if anyone has advice I am all ears! ... View more

Using like() not working in where statement

by in Splunk Search
‎04-28-2021 02:20 PM
‎04-28-2021 02:20 PM
I have an alerts index which has a data.rule.name field containing the following values: COVID-19 linked Cyber Attacks (Social Media) 2 40%   Global Trends, Trending Targets 1 20%   Locations by Risk Level 1 20%   Target Trends, Trending Targets in Watch List 1 20%   I would like to filter events to only include ones where data.rule.name begins with "Target Trends..." My SPL is as follows: index=alerts | where like(data.rule.name, "Target Trends.%") This produces 0 events. Am I using this function wrong?   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-02-2022 12:23 PM
Karma from
View All