Refine your search:

splunk.Intersplunk.outputResults sending another header? Or bad commands.conf options?

0

When using splunk.Intersplunk.outputResults for even 1 record as a streaming command, I get an extra header with a improperly casted time field that ends up making the search compain about fields coming back in the wrong time order thus throwing an error.

The external search command 'command' did not return events in descending time order, as expected.

if I turn off streaming, I get:

    _time                    commandfield    logfield
1   4/3/74 10:46:24.314 AM   commandfield    logfield
2   4/8/11 10:00:26.000 PM   5.39677852134   value1
3   4/8/11 10:00:26.000 PM   5.39677852134   value2
4   4/8/11 10:00:12.000 PM   5.1593157535    value3
5   4/8/11 10:00:12.000 PM   5.1593157535    value4
6   4/8/11 9:59:55.000 PM    5.52337405618   value5
7   4/8/11 9:59:55.000 PM    5.53858132907   value6
8   4/8/11 9:59:55.000 PM    5.53426175508   value7

I've tried using outputheader=true and I get zero results

I'm probably doing something dumb, backwards or wrong but I just don't see it yet...

asked 08 Apr '11, 22:14

rshoward's gravatar image

rshoward
526
accept rate: 100%

One Answer:
oldestnewestmost voted
1

That output looks very strange.

I'm unsure about all the settings for your command in command.conf.

I'm also unsure what your command is doing with the _time values -- whether it's casting them to a string, for example.

This would be putting a bandaid on cancer, but you might want to look at the generates_timeorder and overrides_timeorder settings for your command in commands.conf.

link

answered 14 Apr '11, 04:04

carasso's gravatar image

carasso ♦♦
3.2k319
accept rate: 45%

this was all in my fast and flustered attempt at getting my first streaming command, and first python code (Yes I've been living under a rock, but only renting), to run before the weekend.

I ended up with http://answers.splunk.com/questions/13636/calculate-entropy-just-entropy-not-change-in-entropy-like-associate/13701#13701

I came to the conclusion that I might have been using the functions completely backwards. (bulk for streaming etc)

(14 Apr '11, 16:24) rshoward
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×93
×86
×39

Asked: 08 Apr '11, 22:14

Seen: 524 times

Last updated: 14 Apr '11, 04:04

Related questions

Where is the python API for splunk.Intersplunk?

Custom search commands and authorize.conf in 4.1?

Debugging Custom Splunk Search Commands

Custom Python script executes twice?

python script as unarchive_cmd in props.conf?

Debugging custom search commands

Scripted Lookup Script doesn't work with Splunk Python version but works fine with Python 2.7

Custom search script that only produces keys

Can a custom search script invoke an eval/where expression?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.