Splunk Dev

How to resolve Splunk SDK for Python custom streaming search command?

kcnolan13
Communicator

I am building a custom streaming search command using the Python SDK and the instructions laid out here. So far, I'm just testing the basic process of trying to get the command to run from within Splunk (i.e. the command itself doesn't do anything yet). However, I'm running into trouble simply importing the SDK libraries shown in the example. Here is a stack trace from the job inspector:

alt text

I copied the splunklib folder from the SDK into my app's bin directory, and below is the streaming command's code so far. Anyone have an idea what's wrong here? I'm not sure what "No section: 'handlers'" would mean in this context.

import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators


@Configuration()
class ipasnCommand(StreamingCommand):

    def stream(self, events):
        # Put your event transformation code here
        pass

dispatch(ipasnCommand, sys.argv, sys.stdin, sys.stdout, __name__)
1 Solution

kcnolan13
Communicator

Solution was to simply add this to logging.conf:

[handlers]
keys = app, splunklib, stderr

View solution in original post

kcnolan13
Communicator

Solution was to simply add this to logging.conf:

[handlers]
keys = app, splunklib, stderr

mrgibbon
Contributor

Where is this logging.conf file?
Thanks

0 Karma

jawaharas
Motivator

'logging.conf' file should be under "$SPLUNK_HOME/etc//default" folder

0 Karma

jkat54
SplunkTrust
SplunkTrust

Never change files in /etc/system/default

Put it in $splunk_home/etc/apps/appName/local

0 Karma

jkat54
SplunkTrust
SplunkTrust

You're importing Configuration which I assume is causing this.

Try breaking your imports out into one line each and see what line causes the error. 99% chance it's Configuration.

from splunklib.searchcommand import dispatch
from splunklib.searchcommand import Confiuration
...
And so on

It's looking for a .conf file with a section called handlers... Example:

[handlers]
Key=value

0 Karma

kcnolan13
Communicator

Thanks, just figured that part out on my own I think. Does anyone have an example of a streaming command that actually does something? I'm not sure what the syntax is for modifying events in the "def stream(self, events):" function. Having pass in there doesn't seem to work.... the web interface is throwing: TypeError at "/opt/splunk/etc/apps/ip_asn/bin/splunklib/searchcommands/internals.py", line 519 : 'NoneType' object is not iterable

0 Karma

kcnolan13
Communicator

Never mind, figured it out. Just need to iterate over events and yield each one.

0 Karma

kcnolan13
Communicator

Update, I stuck this in logging.conf:

[handlers]
keys =

Now, there is a fun new error:

02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/ip_asn/bin/splunklib/searchcommands/environment.py", line 102, in configure_logging
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:     fileConfig(filename, {'SPLUNK_HOME': splunk_home})
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/lib/python2.7/logging/config.py", line 86, in fileConfig
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:     _install_loggers(cp, handlers, disable_existing_loggers)
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/lib/python2.7/logging/config.py", line 205, in _install_loggers
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr:     log.addHandler(handlers[hand])
02-02-2017 14:38:25.649 ERROR ChunkedExternProcessor - stderr: KeyError: 'stderr'
0 Karma

kcnolan13
Communicator

Okay, so just by playing around with it, I seem to have worked around the errors.

Using this did the trick:
[handlers]
keys = app, splunklib, stderr

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...