Open malvidin opened 4 years ago
Thanks for reporting this, we will investigate and attempt to provide a fix - the thorough info and resolution steps are a huge help!
Hi @malvidin, we have evaluated this suggested change with quoting = csv.QUOTE_ALL
but have found that this generated many empty/invalid fields that were not present before the change, given this undesirable behavior we can't take that solution however I will leave this issue Open as the problem still remains.
If data is sent to an external command, data can be modified unexpectedly because leading spaces are ignored when sent back to Splunk from the SDK. It is possible that this issue should to be addressed on the receiving Splunk CSV reader, not the SDK CSV writer, but that is outside of the scope of the Splunk Python SDK.
Issue was confirmed with: SDK 1.6.13 Python 2 and Python 3 Splunk 8.0.4.1 (Docker)
This streaming command adds a field named
six_spaces
, and adds two spaces to a specified field.If
my_command
is run like the following:I would expect that all fields would contain spaces, a number, or the string "true". However, none of the space fields contain any spaces after the streaming command is performed, including fields not referenced in the command.
A workaround is to modify line 364 of internals.py to
quoting = csv.QUOTE_ALL
Because the data is read in properly and available during the streaming command execution, it appears that the correct CSV data it sends back to Splunk is inappropriately modified. It could be a CSV reader misconfiguration, use of string.strip(), or something else.https://github.com/splunk/splunk-sdk-python/blob/93cbf44dfc83312cb12869504b050f8034efeb43/splunklib/searchcommands/internals.py#L364