New field/attribute added to raw results by python

Question

Hi

I am trying to add a new field to my search results via a custom search command written in python

Take the following snippet from the script:

results,results1,results2 = splunk.Intersplunk.getOrganizedResults()

for line in results:

line["Test"] = 'Some Test Text'

When I run a search which uses this custom search command I don't see the Test field appearing in the events list, events table or results table. Just wondering if my expectation is incorrect in terms of Splunk being able to do this

Thanks Matt

Accepted Answer

1

You have to output the results after the loop (ie. once you've modified them).

splunk.Intersplunk.outputResults(results)

link

answered 04 May '12, 03:26

ziegfried ♦
10.1k●1●6●18
accept rate: 52%

Hi ziegfried Thanks for the reply Sorry I hadn't included more of the code to make it more clear. I have the " splunk.Intersplunk.outputResults(results)" line of code after the loop finishes.

(04 May '12, 04:20) MatthewTowey

I see. The field should be available in the results then. What's the exact search, you're using? Is the field selected (ie. does it appear in the field picker - on the left)?

(04 May '12, 04:39) ziegfried ♦

Hi I am using the following search: source="file-name.txt" |<custom-search-cmd> | head 2. The field does not appear in the field picker

Thanks Matt

(04 May '12, 06:25) MatthewTowey

New field/attribute added to raw results by python

Follow this question

Splunk Resources

Related questions