Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to make an mvexpand in custom python search function?

sbsbb
Builder
‎08-16-2014 01:17 AM

I would like to make a streamable custom function, that get some xml message :

index=* parameter1=2 | myCustomFunction

This function should read the content of field1, and for each element write a new line.
Is it possible to make an "mvexpand" in my custom python search function ? Can I add a result event ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎08-18-2014 03:44 AM

Hi sbsbb,

yes, this is possible within your script. You need to load the following Splunk Python module splunk.Intersplunk and use splunk.Intersplunk.getOrganizedResults() to recieve key=value pairs from the previous results.

This means, if your base search returns field1=foo your script can then use this key field1 and its value of foo.

As always, docs is a good place to start Custom search commands

hope this helps to get you started ...

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎08-18-2014 03:44 AM

Hi sbsbb,

yes, this is possible within your script. You need to load the following Splunk Python module splunk.Intersplunk and use splunk.Intersplunk.getOrganizedResults() to recieve key=value pairs from the previous results.

This means, if your base search returns field1=foo your script can then use this key field1 and its value of foo.

As always, docs is a good place to start Custom search commands

hope this helps to get you started ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎08-25-2014 07:54 AM

I know that...
In fact I was not aware that I can simply just append many row to the results (thats what mvexpand make) :
for result in results:

        out_results.append(result)
        out_results.append(result)  

    si.outputResults(out_results)
0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎08-18-2014 06:46 AM

okay, completely miss understood the question in this case 🙂

Still, if you want to write a custom command that reads something from events ( like mvexpand does ) your custom command script needs the splunk.Intersplunk module to be loaded.

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎08-18-2014 06:37 AM

That doesn't help at all, sorry, I was asking on how to make a mvexpand in my code... not how to retrieve Data...

Let say, I'm reading a line, and I want to duplicate this line x-time, to expand the values from one field (what mvexpand make in the search command, but I need to make it in the script)

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...