Splunk Enterprise

Custom Search Reporting Command



I am having an issue with piping the output of a custom reporting command, as documented here, into another SPL command. I can get the basic reporting command example to work. It's called "sum" and is provided within the "searchcommands_app" directory of the Splunk Python SDK hosted on GitHub. However, once I get statistics output from the "sum" command, I cannot pipe those results into another command.

This first query works fine:


index = _internal | head 200 | sum total=lines linecount


However, this query does not work:


index = _internal | head 400 | sum total=lines linecount | stats count


When I try to pipe the output of the "sum" command into the "stats" command, I get the following error:


KeyError at "/opt/splunk/etc/apps/t-digest-custom-command/bin/sum.py", line 63 : 'linecount'


Am I getting this error due to a bug in the custom search command API, or am I missing something?



Follow up question: why don't reporting commands reduce to a single value for sufficiently large numbers of input events? For example, this query yields a single statistic value as I expect:


index = _internal | head 50 | sum total=lines linecount


However, this query yields multiple statistic values, even when I only want one value:


index = _internal | head 400 | sum total=lines linecount




0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!