1

I'm trying to run simple search via Python SDK (Python 3.8.5, splunk-sdk 1.6.14). Examples that are presented on dev.splunk.com are clear but something goes wrong when I run search with my own parameters

The code is as simple as this

search_kwargs_params = {
    "exec_mode": "blocking",
    "earliest_time": "2020-09-04T06:57:00.000-00:00",
    "latest_time": "2020-11-08T07:00:00.000-00:00",        
}
search_query = 'search index=qwe1 trace=111-aaa-222 action=Event.OpenCase'
job = self.service.jobs.create(search_query, **search_kwargs_params)
for result in results.ResultsReader(job.results()):
    print(result)

But search returns no results. When I run same query manually in Splunk web GUI it works fine.

I've also tried to put all parameters in 'search_kwargs_params' dictionary, widened search time period and got some search results but they seem to be inappropriate to what I got in GUI.

Can someone advise?

murat
  • 11
  • 1
  • 3
  • What are you expecting to see back? Have you verified your credentials to connect to Splunk via the API? – warren Oct 09 '20 at 14:53

1 Answers1

1

This worked for me. You may also try this:

import requests
import time
import json

scheme = 'https'

host = '<your host>'

username = '<your username>'
password = '<your password>'

unique_id  = '2021-03-22T18-43-00' #You may give any unique identifier here

search_query = 'search <your splunk query>'

post_data = { 'id' : unique_id,
              'search' : search_query,
              'earliest_time' : '1',
              'latest_time' : 'now',
            }

#'earliest_time' : '1', 'latest_time' : 'now'
#This will run the search query for all time

splunk_search_base_url = scheme + '://' + host + 
'/servicesNS/{}/search/search/jobs'.format(username)
resp = requests.post(splunk_search_base_url, data = post_data, verify = False, auth = 
(username, password))

print(resp.text)

is_job_completed = ''

while(is_job_completed != 'DONE'):
    time.sleep(5)
    get_data = {'output_mode' : 'json'}
    job_status_base_url = scheme + '://' + host + 
    '/servicesNS/{}/search/search/jobs/{}'.format(username, unique_id)
    resp_job_status = requests.post(job_status_base_url, data = get_data, verify = 
    False, auth = (username, password))
    resp_job_status_data = resp_job_status.json()
    is_job_completed = resp_job_status_data['entry'][0]['content']['dispatchState']
    print("Current job status is {}".format(is_job_completed))

splunk_summary_base_url = scheme + '://' + host + 
'/servicesNS/{}/search/search/jobs/{}/results?count=0'.format(username, unique_id)
splunk_summary_results = requests.get(splunk_summary_base_url, data = get_data, verify 
= False, auth = (username, password))
splunk_summary_data = splunk_summary_results.json()

#Print the results in python format (strings will be in single quotes)
for data in splunk_summary_data['results']:
    print(data)


print('status code...')
print(splunk_summary_results.status_code)

print('raise for status...')
print(splunk_summary_results.raise_for_status())

print('Results as JSON : ')


#Print the results in valid JSON format (Strings will be in double quotes)

#To get complete json data:
print(json.dumps(splunk_summary_data))

#To get only the relevant json data:
print(json.dumps(splunk_summary_data['results']))

Cheers!

You may also like to have a look at this very handy tutorial. https://www.youtube.com/watch?v=mmTzzp2ldgU

Mayank
  • 79
  • 6