Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Preview generating custom command result

electronicsplun
New Member
‎11-20-2018 01:34 AM

Hi

I want to add a generating custom command that will query one of our DBs. So I have followed the tutorials and created a class that inherits from GeneratingCommand and implemented the generate method. Problem is that Splunk waits for all the results to return and the query might be slow (4-5 seconds). So following some of the docs it looks like timeline_events_preview is what I need but I still don't get the live update of the events view (Similar to using the builtin search command).

I can't post the original code (for copyright reasons) but I can't make it work even with the next simple example:

@Configuration(streaming=True)
class MyGeneratingCommand(GeneratingCommand):
    def generate(self):
        for i in range(10 ** 6):
            yield {'_time': time.time(), '_raw': 'test {}'.format(i), 'events_no': i}

I added a limits.conf file to $SPLUNK_HOME/etc/apps/myapp/local with:

[search]
timeline_events_preview = true

When I use the custom command Splunk waits for all 1 million results to return before showing some of them in the events view.

0 Karma
Reply

electronicsplun
New Member
‎11-25-2018 06:19 AM

So my problem was that I used the SCPv1 instead of using SCPv2 that supports the chunked. This property of the SCPv2 should be documented more because I didn't find any explicit and clear description of the differences between v1 and v2.

0 Karma
Reply

kcnolan13
Communicator
‎10-21-2019 07:59 AM

So you actually solved the problem? I'm trying the same thing using SCPv2 and it still waits for all 1M results before showing them in preview. Same configuration settings and CSC.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...