Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Events Being Passed to Custom Commands More Than Once

cschmidt0121
Path Finder
‎12-06-2013 12:18 PM

I've been working with custom commands for a while, and I've noticed some weird behavior regarding how events are passed into commands. It is my understanding that regardless of whether a command is declared to be streaming or not, Splunk may choose to send events to the command in chunks instead of one large set. So what I would expect to see is something like this:

For a total of 15,000 events piped into custom command "cmd"...

Splunk sends cmd events 0-5000
cmd completes and outputs results

Splunk sends cmd events 5001-10000
cmd completes and outputs results

Splunk sends cmd events 10001-15000
cmd completes and outputs results

However, by having my command log the events it receives, I instead see something that resembles this:

Splunk sends cmd events 0-5000
cmd completes and outputs results

Splunk sends cmd events 0-10000
cmd completes and outputs results (these results OVERWRITE previous results!)

Splunk sends cmd events 0-15000
cmd completes and outputs results (these results OVERWRITE previous results!)

So events 0-5000 end up being passed to the command 3 times, and events 5001-10000 are passed twice. Is this intended behavior? If so, can anyone explain why?

0 Karma
Reply

kchen_splunk
Splunk Employee
Splunk Employee
‎12-03-2014 12:49 AM

Setting "run_in_preview = false" in commands.conf will solve the problme

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎12-16-2013 06:08 AM

This is, as far as I know the intended behaviour for preview functionality in Splunk.

Overwriting previous results makes sense to me - for example if you were implemented a command that added some global state to each event (like eventstats) then the more complete input would be correct, and the partial one doesn't.

I'd suggest also that you have a look at the new python SDK examples which make writing custom search commands easier

Reply

cschmidt0121
Path Finder
‎12-16-2013 12:03 PM

Ooooh. I see. Thank you very much for the response.

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎12-16-2013 11:38 AM

It's so we can display the preview results - it's pretty handy for seeing if you're going to get the right data.

0 Karma
Reply

cschmidt0121
Path Finder
‎12-16-2013 11:32 AM

Yeah that certainly makes sense. I'm still confused as to why Splunk runs the command multiple times in the first place, though, if it's just going to discard the results of the first two runs.

Thanks for the link to the new SDK examples; I'm looking over them now.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...