Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting interesting field's data for Custom Command's Calculation

bloodstrife
Engager
‎09-26-2013 08:29 PM

Hi everyone, I am doing a custom command for some calculation, and i needed one of the fields which I have loaded in from the API using this following code in my first Python File:

    url = 'intended API's url'
    page = urllib2.urlopen(url)
    content = page.read()
    dengDictionary = json.loads(content)

The field which i needed for the calculation is now in one of my interesting fields when i look at the Splunk Search App. What do I have to do, or how should I do it, such that it will be able to get this interesting field into my second Python file for the calculation when I run my Custom Command?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-28-2013 12:33 AM

Whether or not a field is in the "selected" fields or in the "interesting fields" area doesn't really matter in a way. If it's present in either area, that means that the field is present in the search results, which in turn means that your custom commands can access it.

As to how in general to make sure the field makes it to your custom command(s) safely, just

1) don't have a fields command whack it away,

2) if you've one or more transforming commands like stats, remember that you have to pass it on somehow (eg with with last(foo)),

3) if your custom command is in a postProcess search make sure to read up on postProcess pitfalls and have the field referenced somewhere explicitly in the base search like with a fields clause on the end of the search. If it's not explicitly in there Splunk may be optimizing it away which will make it seem to vanish from your base search results.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-28-2013 12:33 AM

Whether or not a field is in the "selected" fields or in the "interesting fields" area doesn't really matter in a way. If it's present in either area, that means that the field is present in the search results, which in turn means that your custom commands can access it.

As to how in general to make sure the field makes it to your custom command(s) safely, just

1) don't have a fields command whack it away,

2) if you've one or more transforming commands like stats, remember that you have to pass it on somehow (eg with with last(foo)),

3) if your custom command is in a postProcess search make sure to read up on postProcess pitfalls and have the field referenced somewhere explicitly in the base search like with a fields clause on the end of the search. If it's not explicitly in there Splunk may be optimizing it away which will make it seem to vanish from your base search results.

0 Karma
Reply
Solved! Jump to solution

nick
Explorer
‎10-04-2013 12:05 PM

Yep. At each pipe just picture a bunch of rows, each of which is just a set of key value pairs. A custom command can receive this and process it just like one of the core commands like "top" does.

Also if you feel like you're not finding enough examples of custom python search commands in the docs, remember you can read the source any of the ones that ship - eg in the search app - "$SPLUNK_HOME/etc/apps/search/bin"

0 Karma
Reply
Solved! Jump to solution

bloodstrife
Engager
‎09-30-2013 08:50 PM

Hi sideview, thanks for your time.
I have just started on splunk and to be honest i know very little about it.

I would like to ask if the usage of something like this would allow me to actually use my custom command with a interesting field:

sourcetype="json_onemap" | top center

center is one of my interesting fields

If i replace the "top" command, to my very own custom command, logically it would work right?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...