How to get custom search command to run local on s...

scottsavareseat · ‎01-29-2020

I'm trying to use the python sdk to build a custom search command. In my commands.conf, I have "chunked = true" set. I should therefore be using version 2 of the search command language. In my python script, I have the following lines:

from splunklib.searchcommands import dispatch, StreamingCommand, Configuration
@Configuration(distributed=False,type='streaming')

When I remove the type variable from the configuration decoration, the command tries to execute on all my indexers. However, I want it to run local on the search head for now so I can test it and fix issues without having to deploy it all over the place. When I add the type variable, I get the following error messages. There is a valueerror saying that I can't set the type variable. Is there a way around this problem?

01-29-2020 20:07:03.600 INFO  ChunkedExternProcessor - Running process: /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/myapp/bin/myapp.py
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/myapp/bin/myapp.py", line 9, in <module>
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:     class myappCommand(StreamingCommand):
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/myapp/bin/lib/splunklib/searchcommands/decorators.py", line 84, in __call__
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:     ConfigurationSetting.fix_up(o.ConfigurationSettings, self.settings)
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/myapp/bin/lib/splunklib/searchcommands/decorators.py", line 193, in fix_up
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr:     raise ValueError('The value of configuration setting {} is fixed'.format(name))
01-29-2020 20:07:03.710 ERROR ChunkedExternProcessor - stderr: ValueError: The value of configuration setting type is fixed
01-29-2020 20:07:03.720 ERROR ChunkedExternProcessor - EOF while attempting to read transport header
01-29-2020 20:07:03.721 ERROR ChunkedExternProcessor - Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.721 ERROR SearchPhaseGenerator - Fallback to two phase search failed:Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.722 ERROR SearchOrchestrator - Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.722 ERROR SearchStatusEnforcer - sid:1580328423.9 Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.
01-29-2020 20:07:03.722 INFO  SearchStatusEnforcer - State changed to FAILED due to: Error in 'myapp' command: External search command exited unexpectedly with non-zero error code 1.

onthebay · ‎07-06-2020

Github shows this fix for distributed flag not working properly:

https://github.com/splunk/splunk-sdk-python/pull/182/files

The fix seems to be in the current splunklib. Still not sure how to properly use the distributed flag since I cannot set type=streaming to force splunklib to respect distributed=true/false

Lucas_K · ‎01-30-2020

If its just for testing that you can try and put "| localop " prior to the command you want to run specifically on the search head.

scottsavareseat · ‎01-30-2020

While not a solution, I've gotten around the problem by putting a sort command in front of my command. The sort can only run on the search head which forces my command to the search head as well.

How to get custom search command to run local on search head

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor