Hi!
I created a custom command for a comparison between json.
The steps to create it:
0) created fieldcompare folder in etc/apps (with bin, metadata and default subfolders)
1) fieldcompare.py (in etc/apps/fieldcompare/bin)
# custom command
import splunk.Intersplunk
import json
from splunklib.searchcommands import \
dispatch, StreamingCommand, Configuration, Option, validators
# long def function (searchleveljson) that looks for things in jsons
#etc etc
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
if isgetinfo:
# streaming, generating, retevs, reqsop, preop
splunk.Intersplunk.outputInfo(True, False, False, False, None)
(results, dummyresults, settings) = splunk.Intersplunk.getOrganizedResults()
field1 = kwargs.get("field1", "field1")
field2 = kwargs.get("field2", "field2")
try:
for result in results:
try:
j1 = json.load(field1)
j2 = json.load(field2)
except KeyError:
# If either field is missing, simply ignore
continue
resultKey = list()
resultValues = list()
searchleveljson(j1,j2,resultKey,resultValues)
result["mismatched keys"]=json.dumps(resultKey)
result["Value diff"]=json.dumps(resultValues)
splunk.Intersplunk.outputResults(results)
2) commands.conf (in etc/apps/fieldcompare/default)
[fieldcompare]
filename = fieldcompare.py
supports_getinfo = true
3) default.meta (in etc/apps/fieldcompare/metadata)
[commands/fieldcompare]
access = read : [ * ], write : [ admin ]
export = system
[scripts/fieldcompare.py]
access = read : [ * ], write : [ admin ]
export = system
4) copy splunklib (with modularinput and searchcommands) in etc/apps/fieldcompare/bin from etc\apps\framework\contrib\splunk-sdk-python
5) Restart splunk
6) index=* etc etc | table expected actual | fieldcompare field1=expected field2=actual
but I get an error that says:
Error in 'script': Getinfo probe failed for external search command 'fieldcompare'
What am I doing wrong?
Thanks,
have a good day.
Debora
... View more