I am having an issue with piping the output of a custom reporting command, as documented here, into another SPL command. I can get the basic reporting command example to work. It's called "sum" and is provided within the "searchcommands_app" directory of the Splunk Python SDK hosted on GitHub. However, once I get statistics output from the "sum" command, I cannot pipe those results into another command.
This first query works fine:
index = _internal | head 200 | sum total=lines linecount
However, this query does not work:
index = _internal | head 400 | sum total=lines linecount | stats count
When I try to pipe the output of the "sum" command into the "stats" command, I get the following error:
KeyError at "/opt/splunk/etc/apps/t-digest-custom-command/bin/sum.py", line 63 : 'linecount'
Am I getting this error due to a bug in the custom search command API, or am I missing something?
Follow up question: why don't reporting commands reduce to a single value for sufficiently large numbers of input events? For example, this query yields a single statistic value as I expect:
index = _internal | head 50 | sum total=lines linecount
However, this query yields multiple statistic values, even when I only want one value:
index = _internal | head 400 | sum total=lines linecount