I have a working custom ReportingCommand in place, using the Python SDK 1.5.0.
My command needs some fields that have been placed in the event by some transforms for the sourcetype.
I have a problem: if a query using my custom command is executed in fast mode, the fields needed by my command are not present in the events presented to my commands map() method. The fields are there if executed in verbose mode.
**How do I tell Splunk not to optimize those fields out?** I tried putting
[netbotzreport]
filename = netbotzreport.py
enableheader = true
outputheader = true
requires_srinfo = true
stderr_dest = message
supports_getinfo = true
supports_rawargs = true
supports_multivalues = true
local = true
streaming = true
required_fields=mib,oid,snmp_index,value
in my commands.conf, but that did not help.
↧