In the previous article, I couldn't sort the multi-values so I couldn't arrange them, so I tried hard to make it, but I couldn't.
But I will write halfway.
2020/1/19 https://github.com/gjanders/SplunkAdmins/blob/master/bin/streamfilter.py Is helpful.
multivalue fields come through as a list, iterate through the list and run the regex against each entryin the multivalued field
later
Multivalue fields are sent as a ; delim string with each term incased in $, and the field name is set to __mv_fieldname.The original field name is sent as a \n delim string. Also need to set supports_multivalues in commands.conf
I'll ask you.
Code
mvsort.py
#!/usr/bin/env python
import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
@Configuration()
class mvsortCommand(StreamingCommand):
""" sort multivalue
"""
def stream(self, records):
self.logger.debug('mvsortCommand: %s', self) # logs command line
for record in records:
args=self.fieldnames[0] #Argument field name
if isinstance(record[args],(str)): #Determining if the field is single value
pass
else:
record[args]=sorted(record[args])
yield record
dispatch(mvsortCommand, sys.argv, sys.stdin, sys.stdout, __name__)
It doesn't work ...: cry:
I made it with Colaboratory.
generator_test.py
#generator test
import random
num=[random.randrange(0,20) for i in range(20)]
def orig_gen():
for i in num:
yield i
g1=orig_gen()
j=[]
def gen_out():
try:
for i in g1:
j.append(i)
yield j
except:
pass
finally:
yield sorted(j)
g2=gen_out()
for i in g2:
print(i)
[5]
[5, 16]
[5, 16, 6]
[5, 16, 6, 19]
[5, 16, 6, 19, 18]
[5, 16, 6, 19, 18, 3]
[5, 16, 6, 19, 18, 3, 16]
[5, 16, 6, 19, 18, 3, 16, 17]
[5, 16, 6, 19, 18, 3, 16, 17, 6]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8, 8]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8, 8, 3]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8, 8, 3, 12]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8, 8, 3, 12, 13]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8, 8, 3, 12, 13, 8]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8, 8, 3, 12, 13, 8, 7]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8, 8, 3, 12, 13, 8, 7, 15]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8, 8, 3, 12, 13, 8, 7, 15, 10]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8, 8, 3, 12, 13, 8, 7, 15, 10, 1]
[5, 16, 6, 19, 18, 3, 16, 17, 6, 8, 8, 3, 12, 13, 8, 7, 15, 10, 1, 9]
[1, 3, 3, 5, 6, 6, 7, 8, 8, 8, 9, 10, 12, 13, 15, 16, 16, 17, 18, 19]
The last sorted () is working properly.
https://docs.splunk.com/DocumentationStatic/PythonSDK/1.6.14/searchcommands.html I'm not sure even if I look at the explanation, so I tried various things,
--The original event was dict
--In the case of multi-value, the value comes with list.
--It is possible to attach with append (), but only the last sorted does not work.
――It should be a list of str ~
―― pstree It's amazing that something is making multi-value to the fullest.
I'm stuck, so I'll go to Splunk> Answers to study Python.