Fieldname Validator Too Strict

[malvidin]

Recommend adding documentation to the Fieldname Validator that indicates that it rejects field names that Splunk accepts. This issue causes an error, Getinfo probe failed for external search command, which is not clear. https://github.com/splunk/splunk-sdk-python/blob/b36d6ebd988c9884a4eeb875e2c8fb50f1068d73/splunklib/searchcommands/validators.py#L115

Example field names that work in Splunk, and at least in custom Splunk 8.x commands: src{} 🐍 dest Source IP

Modifying the reported error is probably more reasonable than modifying the regular expression, since increasing the complexity to include XML and JSON spath output could be very complex.

[vmalaviya-splunk]

Greetings @malvidin

Observations dest is a valid fieldname and working fine. 🐍 is an invalid fieldname and we got an error: Illegal characters in fieldname: 🐍 Source IP is an invalid fieldname and we got an error: Illegal characters in fieldname: Source IP src{} is an invalid fieldname but somehow we got an error: Getinfo probe failed for external search command

Getinfo probe failed for external search command is thrown from the Splunk server, so it's not a part of the SDK.

Maybe you can try with the following configurations in commands.conf file to see the entire error.

[command_name]
filename = <script_filename>.py
supports_getinfo = true
supports_rawargs = true
stderr_dest = message

When stderr_dest = message, you’ll get the entire stack trace for the error as mentioned below. Reference for more details

Error in 'script': Getinfo probe failed for external search command 'countmatches'.
CommandLineParser.parse(self, argv[2:])
command.options[name].value = cls.unquote(value)
command_class().process(argv, input_file, output_file)
dispatch(CountMatchesCommand, sys.argv, sys.stdin, sys.stdout, __name__)
ifile = self._prepare_protocol_v1(argv, ifile, ofile)
raise ValueError('Illegal characters in fieldname: {}'.format(value))
return lambda this, value: setattr(this, bfn, validate(value))
self._option.__set__(self._command, value)
File "/opt/splunk/etc/apps/searchcommand_app/bin/countmatches.py", line 76, in <module>
File "/opt/splunk/etc/apps/searchcommand_app/bin/splunklib/searchcommands/decorators.py", line 323, in <lambda>
File "/opt/splunk/etc/apps/searchcommand_app/bin/splunklib/searchcommands/decorators.py", line 400, in value
File "/opt/splunk/etc/apps/searchcommand_app/bin/splunklib/searchcommands/internals.py", line 159, in parse
File "/opt/splunk/etc/apps/searchcommand_app/bin/splunklib/searchcommands/search_command.py", line 1127, in dispatch
File "/opt/splunk/etc/apps/searchcommand_app/bin/splunklib/searchcommands/search_command.py", line 433, in process
File "/opt/splunk/etc/apps/searchcommand_app/bin/splunklib/searchcommands/search_command.py", line 528, in _prepare_protocol_v1
File "/opt/splunk/etc/apps/searchcommand_app/bin/splunklib/searchcommands/search_command.py", line 592, in _process_protocol_v1
File "/opt/splunk/etc/apps/searchcommand_app/bin/splunklib/searchcommands/validators.py", line 121, in __call__
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
ValueError: Illegal characters in fieldname: src{}

In the last line, you can see that the actual cause for the failure is ValueError: Illegal characters in fieldname: src{} Let us know what you think.

[vmalaviya-splunk]

Greetings @malvidin

In the custom search command, as you can see the validate field is optional for the Option object.

fieldname = Option(
        doc='''
        **Syntax:** **fieldname=***<fieldname>*
        **Description:** Name of the field that will hold the match count''',
        require=True)

With this change, Splunk will not throw any errors and we'll be able to use src{} and other names as a fieldname.

.

[ashah-splunk]

@malvidin Closing this issue due to no response on it. Please reopen if this is still an issue.