Splunk Enterprise

Custom Search Reporting Command

cave_dweller
Observer

Hello,

I am having an issue with piping the output of a custom reporting command, as documented here, into another SPL command. I can get the basic reporting command example to work. It's called "sum" and is provided within the "searchcommands_app" directory of the Splunk Python SDK hosted on GitHub. However, once I get statistics output from the "sum" command, I cannot pipe those results into another command.

This first query works fine:

 

index = _internal | head 200 | sum total=lines linecount

 

However, this query does not work:

 

index = _internal | head 400 | sum total=lines linecount | stats count

 

When I try to pipe the output of the "sum" command into the "stats" command, I get the following error:

 

KeyError at "/opt/splunk/etc/apps/t-digest-custom-command/bin/sum.py", line 63 : 'linecount'

 

Am I getting this error due to a bug in the custom search command API, or am I missing something?

Thanks,

 

Follow up question: why don't reporting commands reduce to a single value for sufficiently large numbers of input events? For example, this query yields a single statistic value as I expect:

 

index = _internal | head 50 | sum total=lines linecount

 

However, this query yields multiple statistic values, even when I only want one value:

 

index = _internal | head 400 | sum total=lines linecount

 

 

 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!