I am trying to pass query from Python(eclipse IDE) to extract data from specific dashboard on SPLUNK enterprises. I am able to get data printed on my console by passing the required queries however I am not able to extract data for specific time interval(like if I want data for 1 hour, 1 day, 1 week or 1 month)
I have tried commands like 'earliest', 'latest' along with my query but every time it throws an error stating "raise HTTPError(response) splunklib.binding.HTTPError: HTTP 400 Bad Request -- Search Factory: Unknown search command 'earliest'"
Here is my code
import splunklib.client as client
import splunklib.results as results
HOST = "my hostname"
PORT = 8089
USERNAME = "my username"
PASSWORD = "my password"
service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)
rr = results.ResultsReader(service.jobs.export("search index=ccmjimmie | stats count(eval(resCode!=00200)) AS errored | chart sum(errored)|earliest=-1d"))
for result in rr:
if isinstance(result, results.Message):
# Diagnostic messages might be returned in the results
print(result.type, result.message)
elif isinstance(result, dict):
# Normal events are returned as dicts
print (result)
assert rr.is_preview == False
Output I am getting without using time query
OrderedDict([('sum(errored)', '1566')])
OrderedDict([('sum(errored)', '4404')])
OrderedDict([('sum(errored)', '6655')])
OrderedDict([('sum(errored)', '8992')])
etc...
This output is same as expected but not bounded by time. I want the same output but for Given Time Interval. And time interval should be passed from the search query "serch.jobs.export()" in the above Python code
Please let me know how do I pass 'time' query along with my required query.
Any help is most appreciated! Thanks in advance!
