Splunk Search

custom command help

rakesh_498115
Motivator

Hi ..

In my Splunk results say i get a lot of numerical values for a field say "A" . Now i want avg of the top 95 values of the field A . so i have defined a funciton in python like this..

// test.py

def myfunction(r):
AvgBest95 = sum(r[0:95])/95

return AvgBest95

and i have given the command name in commands.conf

[test]
filename = test.py

in authorize.conf also i have defined the stanga as

capability::run_script_test]

[role_admin]
run_script_test= enabled

So Now when i run the command in the search . it is not showing any values...

i have used my search like this ..

sourcetype="mydata" | table A | test myfunciton(A)

Please help ..if i am missing anything ...

Tags (1)
0 Karma

rakesh_498115
Motivator

Yeah Ayn...we are paid Partners for Splunk .we often get in touch with them..and they have suggested the first place to go always is splunkbase so posted this question...i want to start with my own custom commands...thanks for your link...going through it..Hopefully will be able to do some custom commands ..

0 Karma

dwaddle
SplunkTrust
SplunkTrust

If I may plug my own app, http://splunk-base.splunk.com/apps/35644/base64-custom-command, it demonstrates just about the "most minimally viable" custom command. There is a lot of stuff there that is absolutely necessary boilerplate. It is boilerplate you need to understand to connect what you want your custom command "to do" to Splunk's custom command input and output plumbing.

Basically, custom commands need to read events on stdin, do the needful, then write the new results to stdout. And you will need to take into account that in certain situations your custom command may be called more than once by Splunk and may "see" the same event more than once.

All of that said, why did you not simply do a

| head 95 | stats avg(A) as avg_first_95_A

it's not like the search language does not have these constructs built in already...

rakesh_498115
Motivator

Hi dwaddle,alcercogitatus ..i knew we can do the way u suggested..i wanted to get a pratice of custom commands so i have raised this question...

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

|top A limit=95 | stats avg(A) I think is more inline with what he wants :D. http://www.keepcalmandposters.com/posters/54856.png

Ayn
Legend

(I thought you were getting personal help from Splunk's partner team?)

Ayn
Legend

You should read up on the basics before you dive into this. I honestly don't know where to start - for one, you can't call individual functions in custom commands like you're trying to do. Then there's the issue of that custom commands need to use Splunk packages for receiving and outputting data. You need to read this, among other things. http://docs.splunk.com/Documentation/Splunk/5.0.2/AdvancedDev/SearchScripts

rakesh_498115
Motivator

yeah..the code snippnet is there in Python file...i am not getting how can i pass this value of my field A to my function in the python file....

0 Karma

Ayn
Legend

Is that code snippet all there is in your Python file?? In that case you have MUCH reading to do on how to create a custom command.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...