Splunk Search

Preserving multi-value fields through custom search command

dbryan
Path Finder

Hello,

I'm trying to build a Python custom search command. The command is run after a transaction, and adds values corresponding to events in the transaction based on the business logic.

This is my search:

sourcetype=mysourcetype | transaction User_ID keepevicted=true mvlist=true | where eventcount > 2 | positioning |  table *

This is the script for my positioning command:

#!/usr/bin/env python2.7
import splunk.Intersplunk

def handle_lines(enumerable):
    for i, line in enumerate(enumerable):
            # business logic goes here
            yield new_line

output = []
for line in handle_lines(search_results):
        output.append(line)
splunk.Intersplunk.outputResults(output)

(there's a reason for my seemingly redundant use of the generator pattern here)

Even if handle_lines yields each line without doing anything to it, Splunk seems to lose its awareness of all the multi-value fields. Instead of this:

alt text

I get this:

alt text

It does work if I change my handle_lines() function to output them as an array:

def handle_lines(enumerable):
    for i, line in enumerate(enumerable):
        new_line = {}
        for attr in line:
            new_line[attr] = line[attr].split(' ')
        # business logic goes here
        yield new_line

The problem here is that some of my fields have spaces, and this causes them to get broken into multi-valued fields as well. This wreaks havoc with what I'm trying to to back in Splunk - I'm assuming that each event has multiple values for each field corresponding to its eventcount.

I'm surprised that I'm having this issue since I'm just using the data exactly as it's provided by splunk.Intersplunk; I assumed the library would handle the multi-value field logic.

1 Solution

dbryan
Path Finder

Hello, I am the supreme reigning idiot.

I was missing this in commands.conf for the custom search command:

supports_multivalues = true

View solution in original post

dbryan
Path Finder

Hello, I am the supreme reigning idiot.

I was missing this in commands.conf for the custom search command:

supports_multivalues = true

dbryan
Path Finder

I've considered that I might need a search-time transform to replace spaces within my fields with some other values prior to passing them to my custom command, but I'd really like to avoid this if possible.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...