topic Re: Unable to use python sdk with summary index for routine run of search query in Splunk Enterprise

Unable to use python sdk with summary index for routine run of search query

MK3 — Tue, 03 Sep 2024 13:17:03 GMT

Hello,

Can splunk python sdk be used along with a summary index? How?

I wish to schedule periodic querying and extracting the data from Splunk for which I usually used the SDK like this and it works for 1 time run as I removed my "collect index ..." code from my query -

service = client.connect( host=HOST, port=PORT, username=USERNAME, password=PASSWORD)

kwargs_oneshot = {"earliest_time": "-1h", "latest_time": "now", "output_mode": 'json', "count" : 100}

searchquery_oneshot = "search <query>" # if i want collected index results to be used below periodically i.e. every 1 hour, what change do I make in my code?

oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)

Thanks

Re: Unable to use python sdk with summary index for routine run of search query

richgalloway — Tue, 03 Sep 2024 14:13:50 GMT

Summary indexes are no different from other indexes so the code you use to access one should work for the other.

How does the existing code fail? What error messages do you see? Have you checked search.log?

It's possible the query is being caught by the "risky code" trap because the collect command is considered a risky one. To avoid that, add the following lines to a command.conf file (not system/default)

[collect] is_risky = false

Re: Unable to use python sdk with summary index for routine run of search query

PickleRick — Tue, 03 Sep 2024 14:21:17 GMT

There is no such thing as "summary index" as a separate type of index 🙂

Anyway, are you sure the user you're running your search with can use the collect command?